doc/security: enrich seventh listitem

This PR improves the language of the seventh listitem in the Vulnerability Management Process in the security documentation. Signed-off-by: Zac Dover <zac.dover@gmail.com>
2025-04-29 22:28:31 +00:00 · 2021-05-20 00:44:00 +10:00 · 2021-05-20 00:44:00 +10:00 · b4058169ed
commit b4058169ed
parent f6b24ece91
1 changed files with 7 additions and 7 deletions
--- a/doc/security/process.rst
+++ b/doc/security/process.rst
@ -15,13 +15,13 @@ Vulnerability Management Process
   and share the mutually agreed disclosure date with the reporter.
 #. The vulnerability disclosure / release date is set excluding Friday and
   holiday periods.
-#. Embargoes are preferred for Critical and High impact
+#. Embargoes are preferred for "Critical" and "High impact" issues. Embargoes
-   issues. Embargo should not be held for more than 90 days from the
+   should not be in effect for more than 90 days from the date of the
-   date of vulnerability confirmation, except under unusual
+   confirmation of the vulnerability, except under unusual circumstances. For
-   circumstances. For Low and Moderate issues with limited impact and
+   "Low" and "Moderate" issues with limited impact and an easy workaround (or
-   an easy workaround or where an issue that is already public, a
+   in cases where an issue is already public), a unique CVE identifier will be
-   standard patch release process will be followed to fix the
+   assigned and then a standard patch release process will be followed to fix
-   vulnerability once CVE is assigned.
+   the vulnerability.
 #. Medium and Low severity issues will be released as part of the next
   standard release cycle, with at least a 7 days advanced
   notification to the list members prior to the release date. The CVE