Sometimes security team won't send confirmation mail back to reporter in three business days. This mean reported vulnerability is either low severity or not a real vulnerability. Reporter should assume that the issue need shortest embargo. After that reporter can submit it through normal bugzilla process or send out fix patch to public.
Signed-off-by: Marvin Liu <yong....@intel.com> Signed-off-by: Qian Xu <qian.q...@intel.com> diff --git a/doc/guides/contributing/vulnerability.rst b/doc/guides/contributing/vulnerability.rst index b6300252ad..cda814fa69 100644 --- a/doc/guides/contributing/vulnerability.rst +++ b/doc/guides/contributing/vulnerability.rst @@ -99,6 +99,11 @@ Following information must be included in the mail: * Reporter credit * Bug ID (empty and restricted for future reference) +If no confirmation mail send back to reporter in this period, thus mean security +team take this vulnerability as low severity. Furthermore shortest embargo **two weeks** +is required for it. Reporter can sumbit the bug through normal process or send +out patch to public. + CVE Request ----------- -- 2.17.1
