projects / cascardo / ovs.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
SECURITY.md: disclosure date can be negotiated
[cascardo/ovs.git] / SECURITY.md
diff --git a/SECURITY.md b/SECURITY.md
index e66a43f..f2695ea 100644 (file)
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -115,9 +115,16 @@ Step 4: Embargoed Disclosure
 ----------------------------
 
 The security advisory and patches are sent to downstream stakeholders,
-with an embargo date and time set to 3 to 5 business days from the
-time sent.  Downstream stakeholders are expected not to deploy or
-disclose patches until the embargo is passed.
+with an embargo date and time set from the time sent.  Downstream
+stakeholders are expected not to deploy or disclose patches until
+the embargo is passed.
+
+A disclosure date is negotiated by the security team working with the
+bug submitter as well as vendors.  However, the Open vSwitch security
+team holds the final say when setting a disclosure date.  The timeframe
+for disclosure is from immediate (esp. if it's already publicly known)
+to a few weeks.  As a basic default policy, we expect report date to
+disclosure date to be 3~5 business days.
 
 Operating system vendors are obvious downstream stakeholders.  It may
 not be necessary to be too choosy about who to include: any major Open
Unnamed repository; edit this file 'description' to name the repository.