From c47cf1e4890cec1c48ee6c3a73c32e9aee236a02 Mon Sep 17 00:00:00 2001 From: Jeremy Stanley Date: Wed, 9 Jun 2021 18:33:14 +0000 Subject: [PATCH] Make VMT contact list more discoverable Get rid of the outdated section for the long gone Security Project, and move the VMT contact info from it to near the top of the main security.o.o page. Also switch references in the process document to link that list instead of going to the LP group page (which made obtaining contact information a challenge). Change-Id: I6aaf4da8bff51bc63706fc20e9f5f68d6e9b0fe4 --- doc/source/index.rst | 83 ++++++++++++++++++-------------------- doc/source/vmt-process.rst | 7 ++-- 2 files changed, 43 insertions(+), 47 deletions(-) diff --git a/doc/source/index.rst b/doc/source/index.rst index 1603e73..e9adf02 100644 --- a/doc/source/index.rst +++ b/doc/source/index.rst @@ -44,16 +44,8 @@ is: * If the issue is extremely sensitive or you're otherwise unable to use the bug tracker directly, please send an E-mail message to one or more of the - Team's members. You're encouraged to encrypt messages to their OpenPGP - keys, which can be found linked below and also on the keyserver network - with the following fingerprints: - - * Jeremy Stanley : - `key 0x97ae496fc02dec9fc353b2e748f9961143495829`_ (details__) - * Gage Hugo : - `key 0x59ad76e5c2c722ebfa7a4a1fe7a8fd2b76febd11`_ (details__) - * Matthew Thode : - `key 0x14b91caaf68c4849f90ca41333ed3fd25afc78ba`_ (details__) + `Vulnerability Management Team`_'s members. You're encouraged to encrypt + messages to their OpenPGP keys. .. note:: @@ -62,6 +54,44 @@ is: private will be made public within 90 calendar days from when it is received, even if a solution has not been identified. + +.. _openstack security project: +.. _vulnerability management: +.. _vulnerability management team: + +Vulnerability Management Team +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +An autonomous subgroup of vulnerability management specialists with in the +security team make up the OpenStack vulnerability management team (VMT). +Their job is facilitating the reporting of vulnerabilities, coordinating +security fixes and handling progressive disclosure of the vulnerability +information. Specifically, they are responsible for the following functions: + +* Vulnerability Management: All vulnerabilities discovered by community + members (or users) can be reported to the Team. + +* Vulnerability Tracking: The Team will curate a set of vulnerability related + issues in the issue tracker. Some of these issues will be private to the + Team and the affected product leads, but once remediated, all vulnerabilities + will be public. + +* Responsible Disclosure: As part of our commitment to work with the security + community, the Team will ensure that proper credit is given to security + researchers who responsibly report issues in OpenStack. + +To directly reach members of the VMT, contact them at the following addresses +(optionally encrypted for the indicated OpenPGP keys): + +* Jeremy Stanley : + `key 0x97ae496fc02dec9fc353b2e748f9961143495829`_ (details__) +* Gage Hugo : + `key 0x59ad76e5c2c722ebfa7a4a1fe7a8fd2b76febd11`_ (details__) +* Matthew Thode : + `key 0x14b91caaf68c4849f90ca41333ed3fd25afc78ba`_ (details__) + +See :doc:`vmt-process` for details on our open process. + .. Static key files are generated with the following command: ( gpg2 --fingerprint 0x97ae496fc02dec9fc353b2e748f9961143495829 gpg2 --armor --export-options export-clean,export-minimal \ @@ -74,7 +104,6 @@ is: .. _`key 0x14b91caaf68c4849f90ca41333ed3fd25afc78ba`: _static/0x14b91caaf68c4849f90ca41333ed3fd25afc78ba.txt .. __: http://pool.sks-keyservers.net:11371/pks/lookup?op=vindex&search=0x14b91caaf68c4849f90ca41333ed3fd25afc78ba&fingerprint=on - Security information for OpenStack deployers -------------------------------------------- @@ -190,35 +219,3 @@ security vulnerabilities within the OpenStack platform. ./guidelines/* - -OpenStack Security Project --------------------------- - -The OpenStack Security Project runs an number of initiatives aimed at improving -the overall security of OpenStack projects and ensuring that security incidents -are handled in a coordinated fashion. Key initiatives that fall within the -security project's areas of responsibility are outlined below. - - -Vulnerability Management -~~~~~~~~~~~~~~~~~~~~~~~~ - -An autonomous subgroup of vulnerability management specialists with in the -security team make up the OpenStack vulnerability management team (VMT). -Their job is facilitating the reporting of vulnerabilities, coordinating -security fixes and handling progressive disclosure of the vulnerability -information. Specifically, they are responsible for the following functions: - -* Vulnerability Management: All vulnerabilities discovered by community - members (or users) can be reported to the Team. - -* Vulnerability Tracking: The Team will curate a set of vulnerability related - issues in the issue tracker. Some of these issues will be private to the - Team and the affected product leads, but once remediated, all vulnerabilities - will be public. - -* Responsible Disclosure: As part of our commitment to work with the security - community, the Team will ensure that proper credit is given to security - researchers who responsibly report issues in OpenStack. - -See :doc:`vmt-process` for details on our open process. diff --git a/doc/source/vmt-process.rst b/doc/source/vmt-process.rst index 51c36c4..290e4a6 100644 --- a/doc/source/vmt-process.rst +++ b/doc/source/vmt-process.rst @@ -7,7 +7,7 @@ Vulnerability Management Process ================================== -The OpenStack vulnerability management team (VMT_) is responsible +The OpenStack :ref:`Vulnerability Management Team` is responsible for coordinating the progressive disclosure of a vulnerability. Members of the team are independent and security-minded folks who @@ -19,8 +19,6 @@ any vulnerabilities. In order to reduce the disclosure of vulnerability in the early stages, membership of this team is intentionally limited to a small number of people. -.. _VMT: https://launchpad.net/~openstack-vuln-mgmt - Supported versions ------------------ @@ -364,7 +362,8 @@ stakeholders to react. If you're currently not a referenced stakeholder and think you should definitely be included on that email distribution list, -please submit an email with a rationale to member(s) of the VMT_. +please submit an email with a rationale to member(s) of the +:ref:`Vulnerability Management Team`. Templates ---------