When we recently ran a genuine vulnerability through this process, we discovered that 3-5 days was far too short. The business processes behind releasing fixed versions of software at companies that use Open vSwitch cannot cope with such rapid turnaround, due e.g. to QA and other processes.
Signed-off-by: Ben Pfaff <b...@ovn.org> --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index cbd2172..6247153 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -231,7 +231,7 @@ bug submitter as well as vendors. However, the Open vSwitch security team holds the final say when setting a disclosure date. The timeframe for disclosure is from immediate (esp. if it's already publicly known) to a few weeks. As a basic default policy, we expect report date to -disclosure date to be 3~5 business days. +disclosure date to be 10 to 15 business days. Operating system vendors are obvious downstream stakeholders. It may not be necessary to be too choosy about who to include: any major Open -- 2.1.3 _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
