+-- On Tue, 12 May 2020, Philippe Mathieu-Daudé wrote --+ | The cover describes the bug as OOB, so I suppose this is a security issue. | Now a 6 months embargo surprises me. I was expecting some period in a | 30-90days range to be the default. However reading the 'Publication embargo' | chapter on https://www.qemu.org/contribute/security-process/, it is only | stated "Embargo periods will be negotiated by mutual agreement between | members of the security team and other relevant parties to the problem." | Shouldn't be a maximum upper limit on the embargo period? Are there QEMU | security bugs embargoed for more than a year? That would be a shame.
Yes, some of these issue are old. We are working on the time-line details. We have quite regular influx of CVE issues, which leads to long triage times for some of them. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
