Comment 9 for bug 2030976

Once there is a template for a working fix in Ironic and/or Nova, I recommend we switch this to public and get other project teams to audit their codebases for similar issues. Once we think the bulk of them are covered (at least any for which vulnerability reports are overseen by the VMT), we can publish a single advisory covering the lot.

Coordinating an effort like that privately across many projects gets very complicated, and increases the number of people who know about the problem to the point where it may as well be public anyway.

Given the nature of this defect is that Keystone tokens are being included in notifications, untrusted parties with an interest in exploiting their access to that information will likely find it regardless of whether we work on this bug privately or in public.