SECURITY.md: disclosure date can be negotiated

Stakeholders might need extra time to provide the update, so let's leave it open to negotiate case by case with the final word on the Open vSwitch security team's hands. A default policy is provided as a reference. Signed-off-by: Flavio Leitner <[email protected]> Signed-off-by: Ben Pfaff <[email protected]>
water0615 · Jan 7, 2015 · 48beaa8 · 48beaa8
1 parent bb6c5fa
commit 48beaa8
Showing 1 changed file with 10 additions and 3 deletions.
diff --git a/SECURITY.md b/SECURITY.md
@@ -115,9 +115,16 @@ Step 4: Embargoed Disclosure
 ----------------------------
 
 The security advisory and patches are sent to downstream stakeholders,
-with an embargo date and time set to 3 to 5 business days from the
-time sent.  Downstream stakeholders are expected not to deploy or
-disclose patches until the embargo is passed.
+with an embargo date and time set from the time sent.  Downstream
+stakeholders are expected not to deploy or disclose patches until
+the embargo is passed.
+
+A disclosure date is negotiated by the security team working with the
+bug submitter as well as vendors.  However, the Open vSwitch security
+team holds the final say when setting a disclosure date.  The timeframe
+for disclosure is from immediate (esp. if it's already publicly known)
+to a few weeks.  As a basic default policy, we expect report date to
+disclosure date to be 3~5 business days.
 
 Operating system vendors are obvious downstream stakeholders.  It may
 not be necessary to be too choosy about who to include: any major Open