On 2017-05-29 15:43:43 +0200 (+0200), Emilien Macchi wrote: > On Wed, May 24, 2017 at 7:45 PM, Ben Nemec <[email protected]> wrote: [...] > > Emilien, I think we should create a tripleo-coresec group in > > launchpad that can be used for this. We have had > > tripleo-affecting security bugs in the past and I imagine we > > will again. I'm happy to help out with that, although I will > > admit my launchpad-fu is kind of weak so I don't know off the > > top of my head how to do it. > > That or re-use an existing Launchpad group used by OpenStack VMT?
The OpenStack VMT doesn't triage bugs for deliverables aside from those tagged with vulnerability:managed in governance. For those we recommend private security bugs only be automatically shared with the openstack-vuln-mgmt team in LP, and then we manually subscribe something-coresec to the report once we're sure it was reported against the correct project. For deliverables without VMT oversight, it makes sense to have private security bugs automatically shared with those something-coresec teams directly. https://governance.openstack.org/tc/reference/tags/vulnerability_managed.html -- Jeremy Stanley
signature.asc
Description: Digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
