Comment 10 for bug 1795800
Revision history for this message
| Andy Ngo (andyngo) wrote Re: Username enumeration via response timing difference | #10 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
e3ace39
(Get the code!)
Regardless of the "to fix or not to fix" question, can we please start the process of filing this bug with MITRE and get a CVE assigned for tracking?
Perhaps we should consider disclosing this issue to the public via an official channel e.g. OpenStack maintainers?
I think we have all agreed that this is indeed an information disclosure issue. The question of how easy it is to fix should not prevent us from carrying out our duty of care i.e. properly disclosing to keystone users.
After all, security issues mean different things to different organisations and, along with that, carry difference severity.