Excerpts from John Dickinson's message of 2016-01-25 10:58:19 -0800: > I'd like to lengthen the embargo window on CVE disclosures. > > Currently, the process is this > (https://security.openstack.org/vmt-process.html): > > 1. A security bug is reported (and confirmed as valid) > 2. A patch is developed an reviewed > 3. After the proposed fix is approved by reviewers, A CVE is filed > 4. 3-5 business days later, the vulnerability is disclosed publicly and the > patches are landed upstream > > The problem as I see it is that the 3 to 5 day embargo is way too short. > Specifically, for those supporting OpenStack projects in a product, the short > embargo does not allow sufficient time for applying, testing, and staging the > fix in time for the disclosure. This leaves end-users and deployers with the > situation of having a publicly announced security vulnerability without any > hope of having a fix. > > I would like the embargo period to be lengthened to be 2 weeks. > > --John
I wasn't involved in the discussions that set the current embargo window. Do we have a record of why that length of time was selected? Was it based on feedback at the time? I don't have a problem with lengthening the window, if the security team agrees, but I'd like to understand how the current window was established. Doug _______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators