security.rst: Add more information about the Downstream mailing list.

Signed-off-by: Justin Pettit <jpettit@ovn.org>
Acked-by: Flavio Leitner <fbl@sysclose.org>

1 files changed, 7 insertions, 4 deletions

diff --git a/Documentation/internals/security.rst b/Documentation/internals/security.rst
index f6a31ad01..8b4e5c3f4 100644
--- a/Documentation/internals/security.rst
+++ b/Documentation/internals/security.rst
@@ -247,10 +247,13 @@ immediate (esp. if it's already publicly known) to a few weeks. As a basic
 default policy, we expect report date to disclosure date to be 10 to 15
 business days.
 
-Operating system vendors are obvious downstream stakeholders. It may not be
-necessary to be too choosy about who to include: any major Open vSwitch user
-who is interested and can be considered trustworthy enough could be included.
-To become a downstream stakeholder, email the ovs-security mailing list.
+Operating system vendors are obvious downstream stakeholders, however,
+any major Open vSwitch user who is interested and can be considered
+trustworthy enough could be included.  To request being added to the
+Downstream mailing list, email the ovs-security mailing list.  Please
+include a few sentences on how your organization uses Open vSwitch.  If
+possible, please provide a security-related email alias rather than a
+direct end-user address.
 
 If the vulnerability is already public, skip this step.