If this risk relies strictly on guessing or finding a victim's instance UUID through other means, then it's a class C1 report per our taxonomy and can be triaged as a potential hardening opportunity instead. https://security.openstack.org/vmt-process.html#incident-report-taxonomy
Since C1 implies the possibility of an OSSN, I'm also subscribing the ossg-coresec team to review it.
If this risk relies strictly on guessing or finding a victim's instance UUID through other means, then it's a class C1 report per our taxonomy and can be triaged as a potential hardening opportunity instead. https:/ /security. openstack. org/vmt- process. html#incident- report- taxonomy
Since C1 implies the possibility of an OSSN, I'm also subscribing the ossg-coresec team to review it.