doc/security: enrich seventh listitem

This PR improves the language of the seventh listitem
in the Vulnerability Management Process in the security
documentation.

Signed-off-by: Zac Dover <zac.dover@gmail.com>

diff --git a/doc/security/process.rst b/doc/security/process.rst
index f2a0c731ab207a37606715a56e2aac28294c9ae7..5518b6f7b66b96133b2af0e17b4aba17409d1eea 100644 (file)
--- a/doc/security/process.rst
+++ b/doc/security/process.rst
@@ -15,13 +15,13 @@ Vulnerability Management Process
    and share the mutually agreed disclosure date with the reporter.
 #. The vulnerability disclosure / release date is set excluding Friday and
    holiday periods.
-#. Embargoes are preferred for Critical and High impact
-   issues. Embargo should not be held for more than 90 days from the
-   date of vulnerability confirmation, except under unusual
-   circumstances. For Low and Moderate issues with limited impact and
-   an easy workaround or where an issue that is already public, a
-   standard patch release process will be followed to fix the
-   vulnerability once CVE is assigned.
+#. Embargoes are preferred for "Critical" and "High impact" issues. Embargoes
+   should not be in effect for more than 90 days from the date of the
+   confirmation of the vulnerability, except under unusual circumstances. For
+   "Low" and "Moderate" issues with limited impact and an easy workaround (or
+   in cases where an issue is already public), a unique CVE identifier will be
+   assigned and then a standard patch release process will be followed to fix
+   the vulnerability.
 #. Medium and Low severity issues will be released as part of the next
    standard release cycle, with at least a 7 days advanced
    notification to the list members prior to the release date. The CVE