governance/resolutions/20250317-extend-scope-VMT-cover-all-projects.rst

2025-03-17 Extend scope of VMT to cover all projects

The OpenStack vulnerability management team (VMT) is responsible for vulnerability management practices across most OpenStack project repositories. The team coordinates the progressive disclosure of vulnerabilities by working with bug reporters, project contributors and project maintainers. Their work is crucial not only in handling different classes of security issues in or related to the OpenStack code base, but also in ensuring a common entry point and a consistent process around such issues. This consistency is essential to users, operators and developers of OpenStack since they needn't be burdened from following team-specific processes, intentionally or inadvertently violating disclosures because of differences in security processes between different OpenStack project teams.

Historically, OpenStack teams have been encouraged to work with the OpenStack Security SIG, which includes the VMT, by opting-into this security process. VMT's oversight has been restricted to deliverables from a subset of OpenStack project teams.

The OpenStack Technical Committee resolves to extend the mandate of the OpenStack Vulnerability Management Team, and add all /reference/projects/index under their purview.

This resolution does not automatically bring all code repositories under the openstack/ namespace on opendev.org under VMT. Individual project teams retain the discretion to determine which repositories should be subject to vulnerability management.

The VMT commits its efforts to the master branch (the primary development branch) and all maintained stable branches. This resolution does not require the VMT to extend vulnerability management to any other code branches.

This resolution requires OpenStack project teams to:

• nominate a security liaison for their projects. This is already a requirement of teams following /reference/distributed-project-leadership. Project team leaders must update the VMT liaisons list and ensure it remains current through each release cycle.
• ensure that project bug trackers follow the VMT guidelines including defining a <project>-coresec team and granting access to the VMT Launchpad team to view private security bugs in the project.
• ensure that project bug trackers, project teams and the above-mentioned coresec groups on https://launchpad.net are owned by OpenStack Administrators.
• limit membership in the project’s coresec group to a small subset of trusted contributors and update the group each release cycle by removing inactive members.

In rare occasions, project teams may not comply to the guidelines of the VMT, such as respecting bug embargo timelines, or responding to questions on bug reports within a reasonable timeframe. With each term of the OpenStack TC, we resolve to nominate two representatives to interface with the OpenStack VMT. These members may participate in triaging security bugs and helping with the VMT process, however, the primary responsibility would be to ensure that project teams are attentive and responsive through the vulnerability management process.