Page tree
Skip to end of metadata
Go to start of metadata

Advisory Database

A database is maintained of previous reported advisories can be found here: Previous OSVM Advisory's

How to report vulnerabilities in OPNFV projects.

For secure communications, please send your messages encrypted to the following addresses:

    1. lhinds [at] redhat [dot] com using the PGP key: pgp.mit.edu
    2. Sona [dot] Sarmadi [at] enea [dot] com using the PGP key: pgp.mit.edu

When you contact OPNFV security team using encypted email, please make sure that you provide your public key information so that we can communicate through secure channels.

Initial response time

OPNFV project's goal for initial response time for vulnerability response is less than 7 working days. This is however not a guarantee but a goal set by the team. Under some circumstances (e.g. during vacation period of members) some variation might occur

How to become a vulnerability managed project in OPNFV.

Projects can have security vulnerabilities managed under the OSVM process, by requesting a security scheme in jira. 

This will then allow a project to have vulnerabilities handled under a public embargo. A JIRA issue can marked as private, allowing co-ordination with the security group, while a patch is prepared in private. 

How to become a downstream stakeholder

Suppliers / Distributors of OPNFV can request allocation as a downstream stakeholder.  Downstream stakeholders are notified 3 to 5 working days in advance of private issues / patches being made public. This then allows them time to plan maintenance windows / patch application processes. 

To request allocation as a downstream stakeholder, please email lhinds [at] redhat [dot] com or Sona [dot] Sarmadi [at] enea [dot] com 

Overview of OSVM

The OSVM process is to manage and coordinate the disclosure and management of vulnerabilities reported or discovered within the opnfv-eco system and upstream projects.

The process inherits from the already present and well functioning OSSG VMT Process and follows the Responsible Disclosure Approach

Draft OSVM Embargoed Vulnerability Mgmt Process

The opnfv osvm process is licensed under CC Attribution 3.0 Unported and was kindly granted use by the OpenStack vulnerability Management Team. New additions / refinements made by the opnfv security group are also under a 3.0 Unported license.

  • No labels