Stakeholders might need extra time to provide the update, so let's leave it open to negotiate case by case with the final word on the Open vSwitch security team's hands. A default policy is provided as a reference.
Signed-off-by: Flavio Leitner <f...@redhat.com> --- SECURITY.md | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index e66a43f..963d6ff 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -115,9 +115,16 @@ Step 4: Embargoed Disclosure ---------------------------- The security advisory and patches are sent to downstream stakeholders, -with an embargo date and time set to 3 to 5 business days from the -time sent. Downstream stakeholders are expected not to deploy or -disclose patches until the embargo is passed. +with an embargo date and time set from the time sent. Downstream +stakeholders are expected not to deploy or disclose patches until +the embargo is passed. + +A disclosure date is negotiated by the security team working with the +bug submitter as well as vendors. However, the Open vSwitch security +team holds the final say when setting a disclosure date. The timeframe +for disclosure is from immediate (esp. if it's already publicly known) +to a few weeks. As a basic default policy, we expect report date to +disclosure date to be on the order of 3~5 business days. Operating system vendors are obvious downstream stakeholders. It may not be necessary to be too choosy about who to include: any major Open -- 2.1.0 _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
