[ovs-dev] [PATCH 2/3] SECURITY.md: disclosure date can be negotiated

[Flavio Leitner]

Stakeholders might need extra time to provide the update,
so let's leave it open to negotiate case by case with the
final word on the Open vSwitch security team's hands.  A
default policy is provided as a reference.

Signed-off-by: Flavio Leitner <fbl at redhat.com>
---
 SECURITY.md | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index e66a43f..963d6ff 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -115,9 +115,16 @@ Step 4: Embargoed Disclosure
 ----------------------------
 
 The security advisory and patches are sent to downstream stakeholders,
-with an embargo date and time set to 3 to 5 business days from the
-time sent.  Downstream stakeholders are expected not to deploy or
-disclose patches until the embargo is passed.
+with an embargo date and time set from the time sent.  Downstream
+stakeholders are expected not to deploy or disclose patches until
+the embargo is passed.
+
+A disclosure date is negotiated by the security team working with the
+bug submitter as well as vendors.  However, the Open vSwitch security
+team holds the final say when setting a disclosure date.  The timeframe
+for disclosure is from immediate (esp. if it's already publicly known)
+to a few weeks.  As a basic default policy, we expect report date to
+disclosure date to be on the order of 3~5 business days.
 
 Operating system vendors are obvious downstream stakeholders.  It may
 not be necessary to be too choosy about who to include: any major Open
-- 
2.1.0