SECURITY.md: disclosure date can be negotiated

Stakeholders might need extra time to provide the update,
so let's leave it open to negotiate case by case with the
final word on the Open vSwitch security team's hands.  A
default policy is provided as a reference.

Signed-off-by: Flavio Leitner <fbl@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

diff --git a/SECURITY.md b/SECURITY.md
index e66a43f..f2695ea 100644 (file)
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -115,9 +115,16 @@ Step 4: Embargoed Disclosure
 ----------------------------
 
 The security advisory and patches are sent to downstream stakeholders,
-with an embargo date and time set to 3 to 5 business days from the
-time sent.  Downstream stakeholders are expected not to deploy or
-disclose patches until the embargo is passed.
+with an embargo date and time set from the time sent.  Downstream
+stakeholders are expected not to deploy or disclose patches until
+the embargo is passed.
+
+A disclosure date is negotiated by the security team working with the
+bug submitter as well as vendors.  However, the Open vSwitch security
+team holds the final say when setting a disclosure date.  The timeframe
+for disclosure is from immediate (esp. if it's already publicly known)
+to a few weeks.  As a basic default policy, we expect report date to
+disclosure date to be 3~5 business days.
 
 Operating system vendors are obvious downstream stakeholders.  It may
 not be necessary to be too choosy about who to include: any major Open