OpenInfra Days North America 2024 at Indiana University

In order to successfully develop software through open community collaboration, tools and workflows are carefully chosen with regard to transparency and visibility of activities. This makes it easier for people to see what’s going on within the project and get involved, but safety-critical activities like security vulnerability management require temporary secrecy, a fundamental conflict presenting unique challenges.

This presentation will cover the workflows and tooling choices OpenStack’s vulnerability managers have employed and refined for more than a decade, with specific goals of keeping secrets only when necessary and making sure the record of our activities becomes fully public as soon as possible. Our processes are openly documented, with templating and automation that streamlines these sensitive workflows, serving as a model for many other communities as well as forming the basis of popular industry specifications and standard practices over the years. Learn how it’s done, get involved in our community, or apply these principles within your own projects.