Comment 15 for bug 1372635

It's worth elaborating on how the VMT drew its fuzzy line on what constitutes a security vulnerability for lack of encryption or lack of host key/certificate verification:

1. OpenStack is currently assumed to be deployed with a trusted and externally-secured management network for control-plane communication between its server components. The existing documentation strongly recommends this deployment model. As such, failure to secure this internal communication is necessarily a security vulnerability for an OpenStack deployment which follows those recommendations. This is somewhere we, as a project, can do a better job. If in the (hopefully near!) future we solve these shortcomings, any other discovered bugs in this vein would probably begin to be treated as vulnerabilities and would get security advisories, but only after documentation asserted that it was safe to connect internal OpenStack components over untrusted networks.

2. Any client-to-server communication (administrator access, end user access) which is not secured by encrypted connections and validating its endpoints is absolutely considered a security vulnerability and we have issued advisories for these bugs in the past.

3. Anything in between those other two is sort of a gray area, and we make a human judgment call as to how to handle it.

Hopefully that helps explain the landscape a little more clearly.