How to report security issues to OpenStack

If you think you’ve identified a vulnerability, please work with us to rectify and disclose the issue together. We provide two ways to report issues to the OpenStack Vulnerability Management Team depending on how sensitive the issue is:

  • Check the project’s documentation to determine where it receives bug reports. If on then log in and create a new story, making sure to check both the Private and Vulnerability or Security-related checkboxes, and selecting the relevant project for the initial task before saving. If on then find the project there, log in click the ‘Report a bug’ link at the right, fill in the ‘Summary’ and ‘Further information’ fields describing the issue, then click the ‘This bug is a security vulnerability’ checkbox near the bottom of the page before submitting it. This will make the bug Private and only accessible to the Vulnerability Management Team.

  • If the issue is extremely sensitive or you’re otherwise unable to use the bug tracker directly, please send an E-mail message to one or more of the Vulnerability Management Team’s members. You’re encouraged to encrypt messages to their OpenPGP keys.


All private reports of suspected vulnerabilities are embargoed for a maximum of 90 days. Unless unusual circumstances arise, any defect reported in private will be made public within 90 calendar days from when it is received, even if a solution has not been identified.