25/01/2021 02:57, Marvin Liu: > Sometimes security team won't send confirmation mail back to reporter > in three business days. This mean reported vulnerability is either low > severity or not a real vulnerability. Reporter should assume that the > issue need shortest embargo. After that reporter can submit it through > normal bugzilla process or send out fix patch to public. > > Signed-off-by: Marvin Liu <yong....@intel.com> > Signed-off-by: Qian Xu <qian.q...@intel.com> > > diff --git a/doc/guides/contributing/vulnerability.rst > b/doc/guides/contributing/vulnerability.rst > index b6300252ad..cda814fa69 100644 > --- a/doc/guides/contributing/vulnerability.rst > +++ b/doc/guides/contributing/vulnerability.rst > @@ -99,6 +99,11 @@ Following information must be included in the mail: > * Reporter credit > * Bug ID (empty and restricted for future reference) > > +If no confirmation mail send back to reporter in this period, thus mean > security > +team take this vulnerability as low severity. Furthermore shortest embargo > **two weeks** > +is required for it. Reporter can sumbit the bug through normal process or > send
sumbit -> submit > +out patch to public. Do we agree on the principle? Does it require a bit of rewriting?
