doc/security: updating fourth item

This PR makes minor changes (nitpicking, really)
to make the sentence a little easier to read.

Signed-off-by: Zac Dover <zac.dover@gmail.com>

diff --git a/doc/security/process.rst b/doc/security/process.rst
index 83e8679530cdd28cd08c26dcb599fe989c33ed33..9bde7054abb8d8a7b7ca73317a3a366122577f0b 100644 (file)
--- a/doc/security/process.rst
+++ b/doc/security/process.rst
@@ -7,13 +7,12 @@ Vulnerability Management Process
    surrounding the reported issue.
 #. If the team does not confirm the report, no further action will be
    taken and the issue will be closed.
-#. If the team confirms the report, a unique CVE identifier will be
-   assigned and shared with the reporter. The team will take action to
-   fix the issue.
-#. In cases in which a reporter has not chosen a date to disclose the
-   vulnerability, a Ceph security team member will work with the list members
-   to coordinate a release date (CRD). The agreed upon release date
-   will be shared with the reporter.
+#. If the report is confirmed by Ceph team members, a unique CVE identifier
+   will be assigned to the report and then shared with the reporter. The Ceph
+   security team will start working on a fix. 
+#. If a reporter has no disclosure date in mind, a Ceph security team
+   member will coordinate a release date (CRD) with the list members
+   and share the mutually agreed disclosure date with the reporter.
 #. The vulnerability disclosure / release date is set excluding Friday and
    holiday periods.
 #. Embargoes are preferred for "Critical" and "High impact" issues. Embargoes