A database is maintained of previous reported advisories can be found here: Previous OSVM Advisory's
How to report vulnerabilities in OPNFV projects.
For secure communications, please send your messages encrypted to the following addresses:
When you contact OPNFV security team using encypted email, please make sure that you provide your public key information so that we can communicate through secure channels.
Initial response time
OPNFV project's goal for initial response time for vulnerability response is less than 14 working days. This is however not a guarantee but a goal set by the team. Under some circumstances (e.g. during vacation period of members) some variation might occur
How to become a vulnerability managed project in OPNFV.
Projects can have security vulnerabilities managed under the OSVM process, by requesting a security scheme in jira.
This will then allow a project to have vulnerabilities handled under a public embargo. A JIRA issue can marked as private, allowing co-ordination with the security group, while a patch is prepared in private.
How to become a downstream stakeholder
Suppliers / Disturbers of OPNFV can request allocation as a downstream stakeholder. Downstream stakeholders are notified 3 to 5 working days in advance of private issues / patches being made public. This then allows them time to plan maintenance windows / patch application processes.
To request allocation as a downstream stakeholder, please email lhinds [at] redhat [dot] com or Sona [dot] Sarmadi [at] enea [dot] com
Overview of OSVM
The OSVM process is to manage and coordinate the disclosure and management of vulnerabilities reported or discovered within the opnfv-eco system and upstream projects.
The process inherits from the already present and well functioning OSSG VMT Process and follows the Responsible Disclosure Approach
Draft OSVM Embargoed Vulnerability Mgmt Process
The opnfv osvm process is licensed under CC Attribution 3.0 Unported and was kindly granted use by the OpenStack vulnerability Management Team. New additions / refinements made by the opnfv security group are also under a 3.0 Unported license.