Security is a fundamental goal of the OpenStack architecture and needs to
be addressed at all layers of the stack. Like any complex, evolving system
security has to be vigilantly pursued, and exposures eliminated. We need
If you think you’ve identified a vulnerability, please work with us to
rectify and disclose the issue responsibly.
Recent OpenStack Security Advisories
You can find the complete list of published advisories here:
How to Report Security Issues to OpenStack
We provide two ways to report issues to the OpenStack Vulnerability Management
Team depending on how sensitive the issue is:
- Search for the corresponding project at https://launchpad.net/ and after
selecting it, click the ‘Report a bug’ link at the right. Fill in the
‘Summary’ and ‘Further information’ fields describing the issue, then
click the ‘This bug is a security vulnerability’ checkbox near the bottom
of the page before submitting it. This will make the bug Private and only
accessible to the Vulnerability Management Team.
- If the issue is extremely sensitive, please send an encrypted email to one
of the Team’s members. Their GPG keys can be found below, and are also
available from popular public GPG key servers.
OpenStack Vulnerability Management Team
The OpenStack Vulnerability Management team is a very small group of experts
in vulnerability management drawn from the OpenStack community. Our job is
facilitating the reporting of vulnerabilities, coordinating security fixes
and handling progressive disclosure of the vulnerability information.
Specifically, we are responsible for the following functions:
- Vulnerability Management: All vulnerabilities discovered by community
members (or users) can be reported to the Team.
- Vulnerability Tracking: The Team will curate a set of vulnerability related
issues in the issue tracker. Some of these issues will be private to the
Team and the affected product leads, but once remediated, all vulnerabilities
will be public.
- Responsible Disclosure: As part of our commitment to work with the security
community, the Team will ensure that proper credit is given to security
researchers who responsibly report issues in OpenStack.
See Vulnerability Management Process for details on our open process.
Other Security Teams in OpenStack
Other teams of security-conscious people in the OpenStack community work
together to improve security in OpenStack, in particular working on:
- Introduce security improvements - Brainstorm and implement security
improvements for OpenStack core projects.
- Audits - Coordinate security auditing efforts between members.
- Facilitation - Support security products and vendors wanting to be part of
the OpenStack community.
See the Security Teams wiki page for the full list of security-oriented
teams you can join.
OpenStack secure development guidelines
The OpenStack security team have collaboratively developed this set of
guidelines and best practices to help avoid common mistakes that lead
to security vulnerabilities within the OpenStack platform.