-with an embargo date and time set to 3 to 5 business days from the
-time sent. Downstream stakeholders are expected not to deploy or
-disclose patches until the embargo is passed.
+with an embargo date and time set from the time sent. Downstream
+stakeholders are expected not to deploy or disclose patches until
+the embargo is passed.
+
+A disclosure date is negotiated by the security team working with the
+bug submitter as well as vendors. However, the Open vSwitch security
+team holds the final say when setting a disclosure date. The timeframe
+for disclosure is from immediate (esp. if it's already publicly known)
+to a few weeks. As a basic default policy, we expect report date to
+disclosure date to be 3~5 business days.