The Vulnerability Management Team
The OpenStack Vulnerability Management Team (VMT) provides a point of contact
for individuals or groups wanting to report a security issue in OpenStack. They
do the initial triage and response to any reported vulnerabilities for the
projects that have the
vulnerability:managed tag. This tag provides a clear
indication that a project has coverage from the VMT, and allows OpenStack to
have a reasonable security baseline - an assurance passed on to implementors
and operators of OpenStack clouds.
To create this assurance for a given service, the VMT has a list of requirements to be fulfilled before requesting the vulnterability:managed tag. There are six requirements the VMT looks at when a service requests inclusion.
vulnerability:managedtag applies to all repos within a given deliverable.
- The deliverable must have a dedicated point of contact for security issues.
- The PTL for the deliverable is also a point of contact, or delegates one.
- A defect/bug tracker for the deliverable is configured to initially only allow access to the VMT, which will then bring in deliverable liaisons as needed.
- The deliverable repository is audited for security by a third party.
- Automated testing is in place to cover the main features of the deliverable, and are lightweight enough to run locally, but are also in the OpenStack CI infrastructure.
The complete description of each of the requirements is on the Security.OpenStack.org VMT ‘Vulnerability Managed’ page.
Using the OpenStack tracker and CI infrastructure will allow for requirement number four - secure defect/bug tracking, and allow easy extension for requirement six - automated testing.
Requesting The Tag
Once the above requirements are met, a thread describing the request should be created on the openstack-dev mailinglist. Once the request is responded to by the VMT, the tag can be requested through a change to the OpenStack Governance repository. An example request can be seen for the Ironic project
Once the above change is merged, the VMT will be able to receive secure bug defect reports, be able to analyze them to determine if they are legitimate or not, develop a patch to remediate the issue, have the deliverable’s point of contact review the patch for impact on the service, and responsibly disclose the defect, impact, and patch to downstream stakeholders.