The OpenStack Security team actively works to improve OpenStack security through improvements to code, architecture and various documentation efforts including vulnerability management (through the Vulnerability Management Team) and issuing of Security Notes.
The primary focus points for the security team are:
(1) Securing the OpenStack code base
(2) Providing deployers with the documentation needed to make sound security choices when deploying or consuming OpenStack
Author and maintain the OpenStack Security Guide:
The security team conducts all non-confidential business on the openstack-dev mailing list with the [Security] tag.
* Subscribe: http://
We previously used the openstack-security mailing list
* Archive: http://
* Act as a consultancy group for OpenStack developers
* The Vulnerability Management Team (VMT) exists as a subset of the Security Team
* VMT confidentially handles vulnerability disclosures
* The wider security team can confirm vulnerability severity at the request of the VMT
* OpenStack Security Notes provide Security Guidance on OpenStack Configuration and Usage: https:/
* Issued Security Notes: https:/
* Exploits / Proofs of Concept
* Vulnerability Research
* Threat Verification
* Security Architecture
* Secure OpenStack Provisioning
* Documenting Security Features
* Configuration Management
* Site Survey Functionality / Security Dashboard
In April 2015 the Security team became an official part of OpenStack. Previously the security team was comprised of two separate organisations; the VMT and the OSSG. The VMT was a small team handling critical vulnerability reports and remediation whereas the OSSG formed the bulk of the remaining security activities within OpenStack. In early 2015 these teams merged, this was quickly followed by the Security team being accepted into OpenStack.
History of the OSSG:
Originally instigated in 2012 by HP and Nebula, the OSSG initially sought to work on an invite only basis, seeking to draw in contributors from large OpenStack teams such as Rackspace, Ubuntu and Red Hat. The team has grown significantly in size and function and now works on a moderated list model, we're open to contributors of all types and the list is moderated simply to keep out spammers.
Security Team Code of Ethics:
Members of the security team agree that the goals of the group are to improve the security of OpenStack. Information made available to the security team may at times be sensitive and should always be treated as confidential, not to be shared outside of the group. Members are expressly prohibited from profiting by sharing vulnerability or exploit information obtained from the security team with a third party. All group members agree to abide by industry best practices in responsible disclosure, including providing proper attribution for any technical contributions.
The security team follows the processes in place for all OpenStack projects and has an elected Project Technical Lead (PTL) - at this moment that PTL is Robert Clark (hyakuhei)
* Formal liaison with OpenStack teams
* Security team co-ordination
* Driving Security Awareness
* Providing Suggestions for Research Direction
Ongoing Tasks for the Security Team:
* Recruiting security talent
* Evangelizing security within the community
* Document current best practices - useful as a documentation exercise and for understanding next steps. (e.g., if best practices involve strongly isolating a particular component b/c it is riddled with security issues, then that will help reveal where we should be working)
* Develop stress tests that can be integrated with current testing