While we don't normally draft security notes privately under embargo (unlike advisories), we have on occasion done so and notified downstream stakeholders with an advance copy prior to publication. This might be one of those times where private advance notification is prudent.
The process for writing an OSSN is documented here:
Would anyone like to have a go at writing up some guidance for this and the related bugs? I gather it involves policy configuration changes to disable some API method(s) but the specifics are where I cease to be useful on this matter. I'm happy to help with coordinating a publication date and getting it sent to the stakeholders.
While we don't normally draft security notes privately under embargo (unlike advisories), we have on occasion done so and notified downstream stakeholders with an advance copy prior to publication. This might be one of those times where private advance notification is prudent.
The process for writing an OSSN is documented here:
https:/ /wiki.openstack .org/wiki/ Security/ Security_ Note_Process
Would anyone like to have a go at writing up some guidance for this and the related bugs? I gather it involves policy configuration changes to disable some API method(s) but the specifics are where I cease to be useful on this matter. I'm happy to help with coordinating a publication date and getting it sent to the stakeholders.