SECURITY.md: Increase embargo period from 3-5 to 10-15 business days.

When we recently ran a genuine vulnerability through this process, we discovered that 3-5 days was far too short. The business processes behind releasing fixed versions of software at companies that use Open vSwitch cannot cope with such rapid turnaround, due e.g. to QA and other processes. Signed-off-by: Ben Pfaff <[email protected]> Acked-by: Ryan Moats <[email protected]> Acked-by: Flavio Leitner <[email protected]>
kevinmel2000 · Apr 10, 2016 · 24de363 · 24de363
1 parent 811c911
commit 24de363
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/SECURITY.md b/SECURITY.md
@@ -231,7 +231,7 @@ bug submitter as well as vendors.  However, the Open vSwitch security
 team holds the final say when setting a disclosure date.  The timeframe
 for disclosure is from immediate (esp. if it's already publicly known)
 to a few weeks.  As a basic default policy, we expect report date to
-disclosure date to be 3~5 business days.
+disclosure date to be 10 to 15 business days.
 
 Operating system vendors are obvious downstream stakeholders.  It may
 not be necessary to be too choosy about who to include: any major Open