From 33b93b806f871c89869bd07343c16ff623ec191a Mon Sep 17 00:00:00 2001
From: Goutham Pacha Ravi <gouthampravi@gmail.com>
Date: Mon, 17 Mar 2025 15:42:19 -0700
Subject: [PATCH] [resolution] Extend scope of VMT to cover all project teams

Change-Id: Ib43644523b85f2b778b985948ec49f1b7a937ac8
---
 reference/tc-chair-responsibilities.rst       |  3 +-
 ...17-extend-scope-VMT-cover-all-projects.rst | 67 +++++++++++++++++++
 2 files changed, 69 insertions(+), 1 deletion(-)
 create mode 100644 resolutions/20250317-extend-scope-VMT-cover-all-projects.rst

diff --git a/reference/tc-chair-responsibilities.rst b/reference/tc-chair-responsibilities.rst
index 45038f907..909ce7c69 100644
--- a/reference/tc-chair-responsibilities.rst
+++ b/reference/tc-chair-responsibilities.rst
@@ -35,7 +35,8 @@ Each Cycle
     <https://etherpad.opendev.org/p/tc-xena-tracker>`__
   * Update the etherpad link in the `wiki
     <https://wiki.openstack.org/wiki/Technical_Committee_Tracker>`__
-
+* Nominate two members of the TC to be a part of the OpenStack Vulnerability
+  Management team.
 * Check on the active goals and, if there is no active goal, then ensure
   that 2 TC members are signed up to manage the goal selection process.
 * Ensure PTI and testing runtime update is done.
diff --git a/resolutions/20250317-extend-scope-VMT-cover-all-projects.rst b/resolutions/20250317-extend-scope-VMT-cover-all-projects.rst
new file mode 100644
index 000000000..d3aa6a0a9
--- /dev/null
+++ b/resolutions/20250317-extend-scope-VMT-cover-all-projects.rst
@@ -0,0 +1,67 @@
+=====================================================
+2025-03-17 Extend scope of VMT to cover all projects
+=====================================================
+
+The OpenStack `vulnerability management team (VMT)`_ is responsible
+for vulnerability management practices across most OpenStack
+project repositories. The team coordinates the progressive disclosure
+of vulnerabilities by working with bug reporters, project contributors
+and project maintainers. Their work is crucial not only in handling
+different classes of security issues in or related to the
+OpenStack code base, but also in ensuring a common entry point and a
+consistent process around such issues. This consistency is essential to
+users, operators and developers of OpenStack since they needn't be burdened
+from following team-specific processes, intentionally or
+inadvertently violating disclosures because of differences in security
+processes between different OpenStack project teams.
+
+Historically, OpenStack teams have been encouraged to work with the
+`OpenStack Security SIG`_, which includes the VMT, by opting-into this security
+process. VMT's oversight has been restricted to deliverables from a `subset of
+OpenStack project teams`_.
+
+The OpenStack Technical Committee resolves to extend the mandate of the
+OpenStack Vulnerability Management Team, and add all
+:doc:`/reference/projects/index` under their purview.
+
+This resolution does not automatically bring all code repositories
+under the ``openstack/`` namespace on opendev.org under VMT. Individual project
+teams retain the discretion to determine which repositories should be subject
+to vulnerability management.
+
+The VMT commits its efforts to the ``master`` branch (the primary development
+branch) and all `maintained`_ stable branches. This resolution does not
+require the VMT to extend vulnerability management to any other code branches.
+
+This resolution requires OpenStack project teams to:
+
+- nominate a security liaison for their projects. This is already
+  a requirement of teams following
+  :doc:`/reference/distributed-project-leadership`. Project team leaders
+  must update the `VMT liaisons`_ list and ensure it remains current
+  through each release cycle.
+- ensure that project bug trackers follow the VMT guidelines including
+  defining a ``<project>-coresec`` team and granting access to the
+  `VMT Launchpad team`_ to view private security bugs in the project.
+- ensure that project bug trackers, project teams and the above-mentioned
+  ``coresec`` groups on https://launchpad.net are owned by
+  ``OpenStack Administrators``.
+- limit membership in the project’s coresec group to a small subset of
+  trusted contributors and update the group each release cycle by
+  removing inactive members.
+
+In rare occasions, project teams may not comply to the guidelines of the VMT,
+such as respecting bug embargo timelines, or responding to questions
+on bug reports within a reasonable timeframe. With each term of the
+OpenStack TC, we resolve to nominate two representatives to interface with the
+OpenStack VMT. These members may participate in triaging security bugs and
+helping with the VMT process, however, the primary responsibility would be to
+ensure that project teams are attentive and responsive through the
+vulnerability management process.
+
+.. _vulnerability management team (VMT): https://docs.openstack.org/project-team-guide/vulnerability-management.html
+.. _subset of OpenStack project teams: https://opendev.org/openstack/ossa/src/commit/dca905784d01aace07e35bac7cb9bc8d87891cbb/doc/source/repos-overseen.rst
+.. _OpenStack Security SIG: https://wiki.openstack.org/wiki/Security-SIG
+.. _VMT liaisons: https://wiki.openstack.org/wiki/CrossProjectLiaisons#Vulnerability_management
+.. _maintained: https://docs.openstack.org/project-team-guide/stable-branches.html
+.. _VMT Launchpad team: https://launchpad.net/~openstack-vuln-mgmt