On Tue, Jan 17 2017, Jeremy Stanley wrote: > Others have already answered most of your questions in this thread, > but since nobody from the VMT has chimed in yet I'll just state on > our behalf that we're generally happy to consult privately or > publicly on any suspected vulnerability report within the OpenStack > ecosystem (and sometimes beyond). If you subscribe > openstack-vuln-mgmt (OpenStack Vulnerability Management team) on > Launchpad to the private bug in question we'll get notified > automatically and take a look. For deliverables with the > vulnerability:managed governance tag this happens automatically and > we prioritize our time toward those, but we're available to help on > others as well on a best-effort basis and time permitting. > > The VMT's process document exists primarily for the purposes of > transparency, and outlines the steps we follow and templates we use > when triaging suspected vulnerabilities for OpenStack deliverables > with the vulnerability:managed governance tag. It's also usable in > great part by other deliverables, and though the VMT doesn't > officially take responsibility for those we're still usually able to > help take you through the process and answer questions. If you need > to reach us through a secure channel, E-mail addresses and > corresponding OpenPGP keys are published at > https://security.openstack.org/#how-to-report-security-issues-to-openstack > for anyone who needs them.
Amazing feedback, thanks Jeremy. -- Julien Danjou /* Free Software hacker https://julien.danjou.info */
signature.asc
Description: PGP signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
