When we recently ran a genuine vulnerability through this process, we
discovered that 3-5 days was far too short. The business processes behind
releasing fixed versions of software at companies that use Open vSwitch
cannot cope with such rapid turnaround, due e.g. to QA and other processes.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Ryan Moats <rmoats@us.ibm.com>
Acked-by: Flavio Leitner <fbl@redhat.com>
team holds the final say when setting a disclosure date. The timeframe
for disclosure is from immediate (esp. if it's already publicly known)
to a few weeks. As a basic default policy, we expect report date to
-disclosure date to be 3~5 business days.
+disclosure date to be 10 to 15 business days.
Operating system vendors are obvious downstream stakeholders. It may
not be necessary to be too choosy about who to include: any major Open