SECURITY.md: Increase embargo period from 3-5 to 10-15 business days.

When we recently ran a genuine vulnerability through this process, we discovered that 3-5 days was far too short. The business processes behind releasing fixed versions of software at companies that use Open vSwitch cannot cope with such rapid turnaround, due e.g. to QA and other processes. Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Ryan Moats <rmoats@us.ibm.com> Acked-by: Flavio Leitner <fbl@redhat.com>
author: Ben Pfaff <blp@ovn.org> 2016-03-31 21:54:03 -0700
committer: Ben Pfaff <blp@ovn.org> 2016-04-10 13:38:57 -0700
commit: 24de3634f9dc2e1ca07ce65fcf619a197a5cb61e (patch)
tree: 3ebf00d87700cb1988f11c7912368571c2dcf1f0 /SECURITY.md
parent: 811c911ff523b0cbba4fbf1b4523a63690d522f1 (diff)
download: openvswitch-24de3634f9dc2e1ca07ce65fcf619a197a5cb61e.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/SECURITY.md b/SECURITY.md
index cbd2172ac..624715332 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -231,7 +231,7 @@ bug submitter as well as vendors.  However, the Open vSwitch security
 team holds the final say when setting a disclosure date.  The timeframe
 for disclosure is from immediate (esp. if it's already publicly known)
 to a few weeks.  As a basic default policy, we expect report date to
-disclosure date to be 3~5 business days.
+disclosure date to be 10 to 15 business days.
 
 Operating system vendors are obvious downstream stakeholders.  It may
 not be necessary to be too choosy about who to include: any major Open
author	Ben Pfaff <blp@ovn.org>	2016-03-31 21:54:03 -0700
committer	Ben Pfaff <blp@ovn.org>	2016-04-10 13:38:57 -0700
commit	24de3634f9dc2e1ca07ce65fcf619a197a5cb61e (patch)
tree	3ebf00d87700cb1988f11c7912368571c2dcf1f0 /SECURITY.md
parent	811c911ff523b0cbba4fbf1b4523a63690d522f1 (diff)
download	openvswitch-24de3634f9dc2e1ca07ce65fcf619a197a5cb61e.tar.gz