July 20–24, 2015
Portland, OR

Vulnerability management for open software development

Jeremy Stanley (OpenStack Foundation)
10:40am–11:20am Thursday, 07/23/2015
Protect D135/136
Average rating: ****.
(4.00, 2 ratings)

Prerequisite Knowledge

Familiarity with defect handling and development in open/free community software will enhance the experience, but is not strictly necessary.


The vulnerability management team for the OpenStack project handles hundreds of incoming reports of potential security vulnerabilities, and publishes dozens of advisories every year. Reconciling reception, embargo, and coordinated disclosure of vulnerability reports, in otherwise entirely open and community-developed software, is no small feat.

In this talk I’ll discuss the published vulnerability management processes followed by the OpenStack project and the supporting tooling we employ. I’ll also explain the conflict between open communication and coordinated disclosure, a balance with which many free software projects struggle, and how we’ve managed to maintain it without compromising our community ideals.

Photo of Jeremy Stanley

Jeremy Stanley

OpenStack Foundation

A long-time computer hobbyist and technology generalist, Jeremy Stanley has worked as a Unix and GNU/Linux sysadmin for more than two decades focusing on information security, internet services, and datacenter automation. He’s a root member of the OpenStack project infrastructure team, and serves on the OpenStack vulnerability management team. Living on a small island in the Atlantic, in his spare time he writes free software, hacks on open hardware projects and embedded platforms, restores old video game systems, and enjoys articles on math theory and cosmology.