Make VMT contact list more discoverable
Get rid of the outdated section for the long gone Security Project, and move the VMT contact info from it to near the top of the main security.o.o page. Also switch references in the process document to link that list instead of going to the LP group page (which made obtaining contact information a challenge). Change-Id: I6aaf4da8bff51bc63706fc20e9f5f68d6e9b0fe4
This commit is contained in:
parent
d4785ae6fd
commit
0e017735e8
|
@ -44,16 +44,8 @@ is:
|
|||
|
||||
* If the issue is extremely sensitive or you're otherwise unable to use the
|
||||
bug tracker directly, please send an E-mail message to one or more of the
|
||||
Team's members. You're encouraged to encrypt messages to their OpenPGP
|
||||
keys, which can be found linked below and also on the keyserver network
|
||||
with the following fingerprints:
|
||||
|
||||
* Jeremy Stanley <fungi@yuggoth.org>:
|
||||
`key 0x97ae496fc02dec9fc353b2e748f9961143495829`_ (details__)
|
||||
* Gage Hugo <gage.hugo@gmail.com>:
|
||||
`key 0x59ad76e5c2c722ebfa7a4a1fe7a8fd2b76febd11`_ (details__)
|
||||
* Matthew Thode <mthode@mthode.org>:
|
||||
`key 0x14b91caaf68c4849f90ca41333ed3fd25afc78ba`_ (details__)
|
||||
`Vulnerability Management Team`'s members. You're encouraged to encrypt
|
||||
messages to their OpenPGP keys.
|
||||
|
||||
.. note::
|
||||
|
||||
|
@ -62,6 +54,44 @@ is:
|
|||
private will be made public within 90 calendar days from when it is received,
|
||||
even if a solution has not been identified.
|
||||
|
||||
|
||||
.. _openstack security project:
|
||||
.. _vulnerability management:
|
||||
.. _vulnerability management team:
|
||||
|
||||
Vulnerability Management Team
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
An autonomous subgroup of vulnerability management specialists with in the
|
||||
security team make up the OpenStack vulnerability management team (VMT).
|
||||
Their job is facilitating the reporting of vulnerabilities, coordinating
|
||||
security fixes and handling progressive disclosure of the vulnerability
|
||||
information. Specifically, they are responsible for the following functions:
|
||||
|
||||
* Vulnerability Management: All vulnerabilities discovered by community
|
||||
members (or users) can be reported to the Team.
|
||||
|
||||
* Vulnerability Tracking: The Team will curate a set of vulnerability related
|
||||
issues in the issue tracker. Some of these issues will be private to the
|
||||
Team and the affected product leads, but once remediated, all vulnerabilities
|
||||
will be public.
|
||||
|
||||
* Responsible Disclosure: As part of our commitment to work with the security
|
||||
community, the Team will ensure that proper credit is given to security
|
||||
researchers who responsibly report issues in OpenStack.
|
||||
|
||||
To directly reach members of the VMT, contact them at the following addresses
|
||||
(optionally encrypted for the indicated OpenPGP keys):
|
||||
|
||||
* Jeremy Stanley <fungi@yuggoth.org>:
|
||||
`key 0x97ae496fc02dec9fc353b2e748f9961143495829`_ (details__)
|
||||
* Gage Hugo <gage.hugo@gmail.com>:
|
||||
`key 0x59ad76e5c2c722ebfa7a4a1fe7a8fd2b76febd11`_ (details__)
|
||||
* Matthew Thode <mthode@mthode.org>:
|
||||
`key 0x14b91caaf68c4849f90ca41333ed3fd25afc78ba`_ (details__)
|
||||
|
||||
See :doc:`vmt-process` for details on our open process.
|
||||
|
||||
.. Static key files are generated with the following command:
|
||||
( gpg2 --fingerprint 0x97ae496fc02dec9fc353b2e748f9961143495829
|
||||
gpg2 --armor --export-options export-clean,export-minimal \
|
||||
|
@ -74,7 +104,6 @@ is:
|
|||
.. _`key 0x14b91caaf68c4849f90ca41333ed3fd25afc78ba`: _static/0x14b91caaf68c4849f90ca41333ed3fd25afc78ba.txt
|
||||
.. __: http://pool.sks-keyservers.net:11371/pks/lookup?op=vindex&search=0x14b91caaf68c4849f90ca41333ed3fd25afc78ba&fingerprint=on
|
||||
|
||||
|
||||
Security information for OpenStack deployers
|
||||
--------------------------------------------
|
||||
|
||||
|
@ -190,35 +219,3 @@ security vulnerabilities within the OpenStack platform.
|
|||
|
||||
./guidelines/*
|
||||
|
||||
|
||||
OpenStack Security Project
|
||||
--------------------------
|
||||
|
||||
The OpenStack Security Project runs an number of initiatives aimed at improving
|
||||
the overall security of OpenStack projects and ensuring that security incidents
|
||||
are handled in a coordinated fashion. Key initiatives that fall within the
|
||||
security project's areas of responsibility are outlined below.
|
||||
|
||||
|
||||
Vulnerability Management
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
An autonomous subgroup of vulnerability management specialists with in the
|
||||
security team make up the OpenStack vulnerability management team (VMT).
|
||||
Their job is facilitating the reporting of vulnerabilities, coordinating
|
||||
security fixes and handling progressive disclosure of the vulnerability
|
||||
information. Specifically, they are responsible for the following functions:
|
||||
|
||||
* Vulnerability Management: All vulnerabilities discovered by community
|
||||
members (or users) can be reported to the Team.
|
||||
|
||||
* Vulnerability Tracking: The Team will curate a set of vulnerability related
|
||||
issues in the issue tracker. Some of these issues will be private to the
|
||||
Team and the affected product leads, but once remediated, all vulnerabilities
|
||||
will be public.
|
||||
|
||||
* Responsible Disclosure: As part of our commitment to work with the security
|
||||
community, the Team will ensure that proper credit is given to security
|
||||
researchers who responsibly report issues in OpenStack.
|
||||
|
||||
See :doc:`vmt-process` for details on our open process.
|
||||
|
|
|
@ -7,7 +7,7 @@
|
|||
Vulnerability Management Process
|
||||
==================================
|
||||
|
||||
The OpenStack vulnerability management team (VMT_) is responsible
|
||||
The OpenStack :ref:`Vulnerability Management Team` is responsible
|
||||
for coordinating the progressive disclosure of a vulnerability.
|
||||
|
||||
Members of the team are independent and security-minded folks who
|
||||
|
@ -19,8 +19,6 @@ any vulnerabilities. In order to reduce the disclosure of
|
|||
vulnerability in the early stages, membership of this team is
|
||||
intentionally limited to a small number of people.
|
||||
|
||||
.. _VMT: https://launchpad.net/~openstack-vuln-mgmt
|
||||
|
||||
Supported versions
|
||||
------------------
|
||||
|
||||
|
@ -364,7 +362,8 @@ stakeholders to react.
|
|||
|
||||
If you're currently not a referenced stakeholder and think you
|
||||
should definitely be included on that email distribution list,
|
||||
please submit an email with a rationale to member(s) of the VMT_.
|
||||
please submit an email with a rationale to member(s) of the
|
||||
:ref:`Vulnerability Management Team`.
|
||||
|
||||
Templates
|
||||
---------
|
||||
|
|
Loading…
Reference in New Issue