After a brief discussion with Brian Haley, it seems like this represents a minor to moderate security risk: an authenticated user can create an unbounded number of empty security groups because they're not limited by the project quota (since these are not created for their project). I'm adding an incomplete security advisory task for now to indicate that the VMT is following this, and subscribing the neutron-coresec team for added visibility. When a fix is devised, if it's a backportable solution, we can further discuss whether this is severe enough to warrant broad distribution of an advisory statement as well.
After a brief discussion with Brian Haley, it seems like this represents a minor to moderate security risk: an authenticated user can create an unbounded number of empty security groups because they're not limited by the project quota (since these are not created for their project). I'm adding an incomplete security advisory task for now to indicate that the VMT is following this, and subscribing the neutron-coresec team for added visibility. When a fix is devised, if it's a backportable solution, we can further discuss whether this is severe enough to warrant broad distribution of an advisory statement as well.