On 2013-12-11 18:28:14 +0100 (+0100), Monty Taylor wrote: > On 12/11/2013 03:51 PM, Russell Bryant wrote: > > On 12/10/2013 05:57 PM, Paul McMillan wrote: > > [...] > > > If you don't have anyone else who is a web security specialist > > > on the core team, I'd like to stay. Since I'm also a member of > > > the Django security team, I offer a significant chunk of > > > knowledge about how the underlying security protections are > > > intended work. > > > > Security reviews aren't done on gerrit, though. They are > > handled in launchpad bugs. It seems you could still contribute > > in this way without being on the horizon-core team responsible > > for reviewing normal changes in gerrit. > > [...] > > And as a follow up - I betcha the vulnerability-management team > would LOVE to have you!
In particular, there are plenty of open public vulnerabilities throughout OpenStack in various states of being addressed which you can pitch in on even with fairly limited levels of commitment. Anything which needs an advisory, or which we think might need one but are not yet sure, is listed at https://bugs.launchpad.net/ossa (with privately-reported and still embargoed issues being the exception). Whatever you see there which piques your interest, whether it needs testing/confirmation, a patch or even just an expert opinion on exploitability/risk would be a welcome contribution. Any help we get dealing with already public vulnerabilities frees up more of our time to focus on embargoed items while still keeping the core group small (minimizing risk of premature disclosure). More info at... https://wiki.openstack.org/wiki/Vulnerability_Management </end_public_service_announcement> -- Jeremy Stanley
signature.asc
Description: Digital signature
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
