)]}'
{"doc/source/contributor/vulnerability.rst":[{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"b6187874890956b4d51fdd12bd2379036c33082d","unresolved":true,"context_lines":[{"line_number":23,"context_line":"In Ironic community, there is 2 groups of code used in Ironic."},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"* **(Group 1)** Code under control of Ironic community"},{"line_number":26,"context_line":"* **(Group 2)** Code not controlled or maintained by Ironic community"},{"line_number":27,"context_line":"  (e.g. vendor provided Python module used in that vendor\u0027s Ironic driver)"},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"If vulnerability is found and cause of vulnerability is in one of or both of above groups of code,"}],"source_content_type":"text/x-rst","patch_set":1,"id":"b6d92d7d_07b40f16","line":26,"updated":"2023-02-24 20:54:14.000000000","message":"We need to be careful talking about these. They are not OpenStack projects, Ironic has no control over them. I\u0027d suggest wording this more around scope.\nSomething like:\nThis document covers how to report vulnerabilities for OpenStack Bare Metal projects, including [list from group 1]. If there is a vulnerability in a related project to Ironic, such as a vendor library we consume, we will gladly connect a reporter up to a responsible party.","commit_id":"78cfe631894ad8d603b86c9c959a8d9bc350dc43"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"b6187874890956b4d51fdd12bd2379036c33082d","unresolved":true,"context_lines":[{"line_number":64,"context_line":""},{"line_number":65,"context_line":"Following is Ironic community member responsible to vulnerability handling:"},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"* WHO?"},{"line_number":68,"context_line":""},{"line_number":69,"context_line":".. (vanou)comment"},{"line_number":70,"context_line":"   We need to determine community member responsible to vulnerability handling"}],"source_content_type":"text/x-rst","patch_set":1,"id":"86441086_804c9f5b","line":67,"updated":"2023-02-24 20:54:14.000000000","message":"I\u0027d say in general, Ironic follows the OpenStack vulnerability management policies where applicable. Security bugs should be created in the bugtracker and marked security-related, then notify the Ironic team via IRC or email. (You can use my name/contact info as current PTL; but really if the details are in a closed bug; even a mailing list post would be OK).","commit_id":"78cfe631894ad8d603b86c9c959a8d9bc350dc43"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"b6187874890956b4d51fdd12bd2379036c33082d","unresolved":true,"context_lines":[{"line_number":101,"context_line":".. [#] https://storyboard.openstack.org"},{"line_number":102,"context_line":""},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"Vulnerability found in code belonging to group 2, or both group 1 and group 2"},{"line_number":105,"context_line":"-----------------------------------------------------------------------------"},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"On the other hand, if vulnerability is found in group 2 code, or fix of found vulnerability requires"}],"source_content_type":"text/x-rst","patch_set":1,"id":"01077955_12f0081a","line":104,"updated":"2023-02-24 20:54:14.000000000","message":"This is out of scope of things that Ironic/OpenStack can speak to or set policy on. We can only talk about how to manage vulnerabilities for projects in control of OpenStack.","commit_id":"78cfe631894ad8d603b86c9c959a8d9bc350dc43"}]}
