From: Zac Dover <zac.dover@gmail.com>
Date: Wed, 19 May 2021 14:49:23 +0000 (+1000)
Subject: doc/security: enriching eighth listitem
X-Git-Tag: v17.1.0~1894^2
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=f26088a64427a51d37a4de992d55235733fec525;p=ceph-ci.git

doc/security: enriching eighth listitem

This PR improves the language in the eighth
listitem in the Vulnerability Management Process.

(This one's pretty nitpicky.)

Signed-off-by: Zac Dover <zac.dover@gmail.com>
---

diff --git a/doc/security/process.rst b/doc/security/process.rst
index 83e8679530c..92d8ad25108 100644
--- a/doc/security/process.rst
+++ b/doc/security/process.rst
@@ -16,17 +16,17 @@ Vulnerability Management Process
    will be shared with the reporter.
 #. The vulnerability disclosure / release date is set excluding Friday and
    holiday periods.
-#. Embargoes are preferred for "Critical" and "High impact" issues. Embargoes
-   should not be in effect for more than 90 days from the date of the
-   confirmation of the vulnerability, except under unusual circumstances. For
-   "Low" and "Moderate" issues with limited impact and an easy workaround (or
-   in cases where an issue is already public), a unique CVE identifier will be
-   assigned and then a standard patch release process will be followed to fix
-   the vulnerability.
-#. Medium and Low severity issues will be released as part of the next
-   standard release cycle, with at least a 7 days advanced
-   notification to the list members prior to the release date. The CVE
-   fix details will be included in the release notes, which will be
+#. Embargoes are preferred for Critical and High impact
+   issues. Embargo should not be held for more than 90 days from the
+   date of vulnerability confirmation, except under unusual
+   circumstances. For Low and Moderate issues with limited impact and
+   an easy workaround or where an issue that is already public, a
+   standard patch release process will be followed to fix the
+   vulnerability once CVE is assigned.
+#. Fixes for issues of "Medium" and "Low" severity will be released as part of
+   the next standard release cycle. List members will receive seven days of
+   advance notice prior to the release date of these fixes. The details of the
+   CVE fix will be included in the release notes, and the release notes will be
    linked in the public announcement.
 #. Commits will be handled in a private repository for review and
    testing and a new patch version will be released from this private