SECURITY.md: Increase embargo period from 3-5 to 10-15 business days.

When we recently ran a genuine vulnerability through this process, we
discovered that 3-5 days was far too short.  The business processes behind
releasing fixed versions of software at companies that use Open vSwitch
cannot cope with such rapid turnaround, due e.g. to QA and other processes.

Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Ryan Moats <rmoats@us.ibm.com>
Acked-by: Flavio Leitner <fbl@redhat.com>

diff --git a/SECURITY.md b/SECURITY.md
index cbd2172..6247153 100644 (file)
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -231,7 +231,7 @@ bug submitter as well as vendors.  However, the Open vSwitch security
 team holds the final say when setting a disclosure date.  The timeframe
 for disclosure is from immediate (esp. if it's already publicly known)
 to a few weeks.  As a basic default policy, we expect report date to
-disclosure date to be 3~5 business days.
+disclosure date to be 10 to 15 business days.
 
 Operating system vendors are obvious downstream stakeholders.  It may
 not be necessary to be too choosy about who to include: any major Open