Comment 18 for bug 1561199

We still need a determination as to whether this embargoed bug will end in a coordinated OpenStack Security Advisory for swift/keystonemiddleware, or if we're only keeping this report under wraps for now at the request of the swift3 developers. If there is need for an OSSA then we need an impact description and lead time to notify downstream developers before patches are pushed into public code review. Also, making this bug public probably involves making bug 1566416 public too, since some of its details are discussed here.

Input from the Swift and Keystone core security reviewers on these matters would be appreciated.