From: Josh Durgin <jdurgin@redhat.com>
Date: Thu, 20 May 2021 00:42:21 +0000 (-0700)
Subject: Merge pull request #41409 from zdover23/wip-doc-security-2021-05-19-fifth-item
X-Git-Tag: v17.1.0~1909
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=5ab2128633609163b5c4e8d552af0b5e2089600f;p=ceph.git

Merge pull request #41409 from zdover23/wip-doc-security-2021-05-19-fifth-item

doc/security: updating fifth listitem

Reviewed-by: Josh Durgin <jdurgin@redhat.com>
---

5ab2128633609163b5c4e8d552af0b5e2089600f
diff --cc doc/security/process.rst
index 2ca3d833c201,a202038907a1..83e8679530cd
--- a/doc/security/process.rst
+++ b/doc/security/process.rst
@@@ -10,18 -10,19 +10,19 @@@ Vulnerability Management Proces
  #. If the team confirms the report, a unique CVE identifier will be
     assigned and shared with the reporter. The team will take action to
     fix the issue.
- #. If a reporter has no disclosure date in mind, a Ceph security team
-    member will coordinate a release date (CRD) with the list members
-    and share the mutually agreed disclosure date with the reporter.
+ #. In cases in which a reporter has not chosen a date to disclose the
+    vulnerability, a Ceph security team member will work with the list members
+    to coordinate a release date (CRD). The agreed upon release date
+    will be shared with the reporter.
  #. The vulnerability disclosure / release date is set excluding Friday and
     holiday periods.
 -#. Embargoes are preferred for Critical and High impact
 -   issues. Embargo should not be held for more than 90 days from the
 -   date of vulnerability confirmation, except under unusual
 -   circumstances. For Low and Moderate issues with limited impact and
 -   an easy workaround or where an issue that is already public, a
 -   standard patch release process will be followed to fix the
 -   vulnerability once CVE is assigned.
 +#. Embargoes are preferred for "Critical" and "High impact" issues. Embargoes
 +   should not be in effect for more than 90 days from the date of the
 +   confirmation of the vulnerability, except under unusual circumstances. For
 +   "Low" and "Moderate" issues with limited impact and an easy workaround (or
 +   in cases where an issue is already public), a unique CVE identifier will be
 +   assigned and then a standard patch release process will be followed to fix
 +   the vulnerability.
  #. Medium and Low severity issues will be released as part of the next
     standard release cycle, with at least a 7 days advanced
     notification to the list members prior to the release date. The CVE