While reports of suspected vulnerabilities for heat-dashboard are not normally coordinated by the OpenStack VMT, the reporter reached out to and subscribed us requesting some assistance as this has been sitting untriaged for over a month. I have in turn subscribed the Heat team's core security reviewers since I'm unsure who has initial visibility into private security bugs for heat-dashboard.
Given the probable low risk/impact from the described issue I'm inclined to recommend continuing discussion in public, but it's up to the Heat team and reporter to decide that.
While reports of suspected vulnerabilities for heat-dashboard are not normally coordinated by the OpenStack VMT, the reporter reached out to and subscribed us requesting some assistance as this has been sitting untriaged for over a month. I have in turn subscribed the Heat team's core security reviewers since I'm unsure who has initial visibility into private security bugs for heat-dashboard.
Given the probable low risk/impact from the described issue I'm inclined to recommend continuing discussion in public, but it's up to the Heat team and reporter to decide that.