From f26088a64427a51d37a4de992d55235733fec525 Mon Sep 17 00:00:00 2001 From: Zac Dover Date: Thu, 20 May 2021 00:49:23 +1000 Subject: [PATCH] doc/security: enriching eighth listitem This PR improves the language in the eighth listitem in the Vulnerability Management Process. (This one's pretty nitpicky.) Signed-off-by: Zac Dover --- doc/security/process.rst | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/doc/security/process.rst b/doc/security/process.rst index 83e8679530cd..92d8ad251084 100644 --- a/doc/security/process.rst +++ b/doc/security/process.rst @@ -16,17 +16,17 @@ Vulnerability Management Process will be shared with the reporter. #. The vulnerability disclosure / release date is set excluding Friday and holiday periods. -#. Embargoes are preferred for "Critical" and "High impact" issues. Embargoes - should not be in effect for more than 90 days from the date of the - confirmation of the vulnerability, except under unusual circumstances. For - "Low" and "Moderate" issues with limited impact and an easy workaround (or - in cases where an issue is already public), a unique CVE identifier will be - assigned and then a standard patch release process will be followed to fix - the vulnerability. -#. Medium and Low severity issues will be released as part of the next - standard release cycle, with at least a 7 days advanced - notification to the list members prior to the release date. The CVE - fix details will be included in the release notes, which will be +#. Embargoes are preferred for Critical and High impact + issues. Embargo should not be held for more than 90 days from the + date of vulnerability confirmation, except under unusual + circumstances. For Low and Moderate issues with limited impact and + an easy workaround or where an issue that is already public, a + standard patch release process will be followed to fix the + vulnerability once CVE is assigned. +#. Fixes for issues of "Medium" and "Low" severity will be released as part of + the next standard release cycle. List members will receive seven days of + advance notice prior to the release date of these fixes. The details of the + CVE fix will be included in the release notes, and the release notes will be linked in the public announcement. #. Commits will be handled in a private repository for review and testing and a new patch version will be released from this private -- 2.47.3