From: Zac Dover Date: Wed, 19 May 2021 14:44:00 +0000 (+1000) Subject: doc/security: enrich seventh listitem X-Git-Tag: v17.1.0~1910^2 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=b4058169edab3a9cbfe367cd15cacb040703c00f;p=ceph.git doc/security: enrich seventh listitem This PR improves the language of the seventh listitem in the Vulnerability Management Process in the security documentation. Signed-off-by: Zac Dover --- diff --git a/doc/security/process.rst b/doc/security/process.rst index f2a0c731ab2..5518b6f7b66 100644 --- a/doc/security/process.rst +++ b/doc/security/process.rst @@ -15,13 +15,13 @@ Vulnerability Management Process and share the mutually agreed disclosure date with the reporter. #. The vulnerability disclosure / release date is set excluding Friday and holiday periods. -#. Embargoes are preferred for Critical and High impact - issues. Embargo should not be held for more than 90 days from the - date of vulnerability confirmation, except under unusual - circumstances. For Low and Moderate issues with limited impact and - an easy workaround or where an issue that is already public, a - standard patch release process will be followed to fix the - vulnerability once CVE is assigned. +#. Embargoes are preferred for "Critical" and "High impact" issues. Embargoes + should not be in effect for more than 90 days from the date of the + confirmation of the vulnerability, except under unusual circumstances. For + "Low" and "Moderate" issues with limited impact and an easy workaround (or + in cases where an issue is already public), a unique CVE identifier will be + assigned and then a standard patch release process will be followed to fix + the vulnerability. #. Medium and Low severity issues will be released as part of the next standard release cycle, with at least a 7 days advanced notification to the list members prior to the release date. The CVE