(cloudstack-www) branch staging-site updated: update expectation management (#437)

Wed, 10 Jun 2026 07:00:19 -0700 

This is an automated email from the ASF dual-hosted git repository.

DaanHoogland pushed a commit to branch staging-site
in repository https://gitbox.apache.org/repos/asf/cloudstack-www.git


The following commit(s) were added to refs/heads/staging-site by this push:
     new aa2260c05 update expectation management (#437)
aa2260c05 is described below

commit aa2260c05f6decf2585c7804b13d7de30d102764
Author: dahn <[email protected]>
AuthorDate: Wed Jun 10 16:00:06 2026 +0200

    update expectation management (#437)
    
    Co-authored-by: Daan Hoogland <[email protected]>
---
 src/pages/security.md | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/src/pages/security.md b/src/pages/security.md
index 7e10e892d..c55d96dad 100644
--- a/src/pages/security.md
+++ b/src/pages/security.md
@@ -39,12 +39,16 @@ team](https://www.apache.org/security/) via email to
 vulnerability, how it might be exploited, and any additional information that
 might be useful.
 
-Upon notification, the ASF security team will work with the CloudStack PMC
-through validation and fixing the issue. If the issue is validated, it 
generally
-takes 2-4 weeks from notification to public announcement of the vulnerability.
-During this time, the team will communicate with you as they proceed through 
the
-response procedure, and ask that the issue not be announced before an
-agreed-upon date.
+Upon notification, the ASF security team will work with the CloudStack
+PMC through validation and fixing the issue. If the issue is
+validated, it will still take time to fix the issue. The amount of
+time depends on the availability of volunteers and number people
+involved that have a stake in the issue. In later years it has turned
+out to take up to six months, from notification to public announcement
+of the vulnerability, due to parallel work on multiple issues. During
+this time, the team will communicate with you as they proceed through
+the response procedure, and ask that the issue not be announced before
+an agreed-upon date.
 
 **Please do not create publicly-viewable JIRA tickets related to the issue**. 
If
 validated, a JIRA ticket with the security flag set will be created for 
tracking

Reply via email to