> On 9 Mar 2023, at 13:45, Daniel Stenberg via curl-library > <curl-library@lists.haxx.se> wrote:
> I think we should allow or even demands that Low+Medium issues get managed > through plain PRs. But without > highlighting or mentioning the security vulnerability risk. This opens us up to the risk that we've misjudged the severity, and we publish what we think is Low but in reality should've been High (or higher). Ideally this shouldn't happen, and thus the risk is low, but known risks are better than unknown. If we are on the fence regarding severity it should be fine to keep it hidden as per the process for High. There is also the case when information in a report is provided to us under an embargo, the date of which must take precedence. So, I dont mind allowing it, but I don't want to demand it for the reasons stated above (and your PR doesn't demand it either). -- Daniel Gustafsson -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
