I'd like to lengthen the embargo window on CVE disclosures. Currently, the process is this (https://security.openstack.org/vmt-process.html):
1. A security bug is reported (and confirmed as valid) 2. A patch is developed an reviewed 3. After the proposed fix is approved by reviewers, A CVE is filed 4. 3-5 business days later, the vulnerability is disclosed publicly and the patches are landed upstream The problem as I see it is that the 3 to 5 day embargo is way too short. Specifically, for those supporting OpenStack projects in a product, the short embargo does not allow sufficient time for applying, testing, and staging the fix in time for the disclosure. This leaves end-users and deployers with the situation of having a publicly announced security vulnerability without any hope of having a fix. I would like the embargo period to be lengthened to be 2 weeks. --John
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OpenStack-operators mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
