The vulnerability management team for the OpenStack project handles hundreds of incoming reports of potential security vulnerabilities, and publishes dozens of advisories every year. Reconciling reception, embargo, and coordinated disclosure of vulnerability reports, in otherwise entirely open and community-developed software, is no small feat.
In this talk I’ll discuss the published vulnerability management processes followed by the OpenStack project and the supporting tooling we employ. I’ll also explain the conflict between open communication and coordinated disclosure, a balance with which many free software projects struggle, and how we’ve managed to maintain it without compromising our community ideals.
A long-time computer hobbyist and technology generalist, Jeremy Stanley has worked as a Unix and GNU/Linux sysadmin for more than two decades focusing on information security, internet services, and datacenter automation. He’s a root member of the OpenStack project infrastructure team, and serves on the OpenStack vulnerability management team. Living on a small island in the Atlantic, in his spare time he writes free software, hacks on open hardware projects and embedded platforms, restores old video game systems, and enjoys articles on math theory and cosmology.
©2015, O'Reilly Media, Inc. • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • firstname.lastname@example.org