#. If the team confirms the report, a unique CVE identifier will be
assigned and shared with the reporter. The team will take action to
fix the issue.
- #. If a reporter has no disclosure date in mind, a Ceph security team
- member will coordinate a release date (CRD) with the list members
- and share the mutually agreed disclosure date with the reporter.
+ #. In cases in which a reporter has not chosen a date to disclose the
+ vulnerability, a Ceph security team member will work with the list members
+ to coordinate a release date (CRD). The agreed upon release date
+ will be shared with the reporter.
#. The vulnerability disclosure / release date is set excluding Friday and
holiday periods.
-#. Embargoes are preferred for Critical and High impact
- issues. Embargo should not be held for more than 90 days from the
- date of vulnerability confirmation, except under unusual
- circumstances. For Low and Moderate issues with limited impact and
- an easy workaround or where an issue that is already public, a
- standard patch release process will be followed to fix the
- vulnerability once CVE is assigned.
+#. Embargoes are preferred for "Critical" and "High impact" issues. Embargoes
+ should not be in effect for more than 90 days from the date of the
+ confirmation of the vulnerability, except under unusual circumstances. For
+ "Low" and "Moderate" issues with limited impact and an easy workaround (or
+ in cases where an issue is already public), a unique CVE identifier will be
+ assigned and then a standard patch release process will be followed to fix
+ the vulnerability.
#. Medium and Low severity issues will be released as part of the next
standard release cycle, with at least a 7 days advanced
notification to the list members prior to the release date. The CVE