Security Coverage: Adding the Vulnerability:Managed Tag

The Vulnerability Management Team

The OpenStack Vulnerability Management Team (VMT) provides a point of contact for individuals or groups wanting to report a security issue in OpenStack. They do the initial triage and response to any reported vulnerabilities for the projects that have the vulnerability:managed tag. This tag provides a clear indication that a project has coverage from the VMT, and allows OpenStack to have a reasonable security baseline - an assurance passed on to implementors and operators of OpenStack clouds.


To create this assurance for a given service, the VMT has a list of requirements to be fulfilled before requesting the vulnterability:managed tag. There are six requirements the VMT looks at when a service requests inclusion.

  1. The vulnerability:managed tag applies to all repos within a given deliverable.
  2. The deliverable must have a dedicated point of contact for security issues.
  3. The PTL for the deliverable is also a point of contact, or delegates one.
  4. A defect/bug tracker for the deliverable is configured to initially only allow access to the VMT, which will then bring in deliverable liaisons as needed.
  5. The deliverable repository is audited for security by a third party.
  6. Automated testing is in place to cover the main features of the deliverable, and are lightweight enough to run locally, but are also in the OpenStack CI infrastructure.

The complete description of each of the requirements is on the VMT ‘Vulnerability Managed’ page.

Using the OpenStack tracker and CI infrastructure will allow for requirement number four - secure defect/bug tracking, and allow easy extension for requirement six - automated testing.

Requesting The Tag

Once the above requirements are met, a thread describing the request should be created on the openstack-dev mailinglist. Once the request is responded to by the VMT, the tag can be requested through a change to the OpenStack Governance repository. An example request can be seen for the Ironic project

Vulnerability, Managed

Once the above change is merged, the VMT will be able to receive secure bug defect reports, be able to analyze them to determine if they are legitimate or not, develop a patch to remediate the issue, have the deliverable’s point of contact review the patch for impact on the service, and responsibly disclose the defect, impact, and patch to downstream stakeholders.