On 2017-01-17 13:26:02 +0100 (+0100), Julien Danjou wrote: > I've asked on #openstack-security without success, so let me try here > insteead: > > We, Telemetry, have a security bug and we're not managed by VMT, any > hint as how to handle our bug? Or how to get covered by VMT? 😊
Others have already answered most of your questions in this thread, but since nobody from the VMT has chimed in yet I'll just state on our behalf that we're generally happy to consult privately or publicly on any suspected vulnerability report within the OpenStack ecosystem (and sometimes beyond). If you subscribe openstack-vuln-mgmt (OpenStack Vulnerability Management team) on Launchpad to the private bug in question we'll get notified automatically and take a look. For deliverables with the vulnerability:managed governance tag this happens automatically and we prioritize our time toward those, but we're available to help on others as well on a best-effort basis and time permitting. The VMT's process document exists primarily for the purposes of transparency, and outlines the steps we follow and templates we use when triaging suspected vulnerabilities for OpenStack deliverables with the vulnerability:managed governance tag. It's also usable in great part by other deliverables, and though the VMT doesn't officially take responsibility for those we're still usually able to help take you through the process and answer questions. If you need to reach us through a secure channel, E-mail addresses and corresponding OpenPGP keys are published at https://security.openstack.org/#how-to-report-security-issues-to-openstack for anyone who needs them. -- Jeremy Stanley
signature.asc
Description: Digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
