From 1de9238f04402786707f26deec7753a0b47e6281 Mon Sep 17 00:00:00 2001 From: Zac Dover Date: Thu, 20 May 2021 00:29:40 +1000 Subject: [PATCH] doc/security: updating fourth item This PR makes minor changes (nitpicking, really) to make the sentence a little easier to read. Signed-off-by: Zac Dover --- doc/security/process.rst | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/doc/security/process.rst b/doc/security/process.rst index 83e8679530c..9bde7054abb 100644 --- a/doc/security/process.rst +++ b/doc/security/process.rst @@ -7,13 +7,12 @@ Vulnerability Management Process surrounding the reported issue. #. If the team does not confirm the report, no further action will be taken and the issue will be closed. -#. If the team confirms the report, a unique CVE identifier will be - assigned and shared with the reporter. The team will take action to - fix the issue. -#. In cases in which a reporter has not chosen a date to disclose the - vulnerability, a Ceph security team member will work with the list members - to coordinate a release date (CRD). The agreed upon release date - will be shared with the reporter. +#. If the report is confirmed by Ceph team members, a unique CVE identifier + will be assigned to the report and then shared with the reporter. The Ceph + security team will start working on a fix. +#. If a reporter has no disclosure date in mind, a Ceph security team + member will coordinate a release date (CRD) with the list members + and share the mutually agreed disclosure date with the reporter. #. The vulnerability disclosure / release date is set excluding Friday and holiday periods. #. Embargoes are preferred for "Critical" and "High impact" issues. Embargoes -- 2.39.5