[djsumdog]

I worked for a company that did openstack; was pulled into their security team. That company dumped so much money just to have a terrible openstack client offering.

There was no CVE mailing list like other projects. We had to scrape their launchpad bug tracker. On top of that none of the package repos we checked (Canonical's, Debian's .. couple of others) would even have package updates for up to three weeks on some of the CVEs. We started building out own CI so we could build and patch ourselves. Then I got pulled from the open stack team onto something that was not a bottomless pit of haemorrhaging money.