(cloudstack-www) branch sec-update updated: update expectation management

Fri, 05 Jun 2026 05:02:14 -0700 

This is an automated email from the ASF dual-hosted git repository.

DaanHoogland pushed a commit to branch sec-update
in repository https://gitbox.apache.org/repos/asf/cloudstack-www.git


The following commit(s) were added to refs/heads/sec-update by this push:
     new 11d76a3a4 update expectation management
11d76a3a4 is described below

commit 11d76a3a444165b094571b7698d2cbe34d76b069
Author: Daan Hoogland <[email protected]>
AuthorDate: Fri Jun 5 14:01:50 2026 +0200

    update expectation management
---
 src/pages/security.md | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/src/pages/security.md b/src/pages/security.md
index 7e10e892d..1f5b025d9 100644
--- a/src/pages/security.md
+++ b/src/pages/security.md
@@ -39,12 +39,17 @@ team](https://www.apache.org/security/) via email to
 vulnerability, how it might be exploited, and any additional information that
 might be useful.
 
-Upon notification, the ASF security team will work with the CloudStack PMC
-through validation and fixing the issue. If the issue is validated, it 
generally
-takes 2-4 weeks from notification to public announcement of the vulnerability.
-During this time, the team will communicate with you as they proceed through 
the
-response procedure, and ask that the issue not be announced before an
-agreed-upon date.
+Upon notification, the ASF security team will work with the CloudStack
+PMC through validation and fixing the issue. If the issue is
+validated, it will still take time to fix the issue. The amount of
+time depends on the availability of volunteers and number people
+involved that have a stake in the issue. In the past this would
+generally takes 2-4 weeks from notification to public announcement of
+the vulnerability. In later years it has turned out to take more time
+(up to six months in some cases) due to parallel work on multiple
+issues. During this time, the team will communicate with you as they
+proceed through the response procedure, and ask that the issue not be
+announced before an agreed-upon date.
 
 **Please do not create publicly-viewable JIRA tickets related to the issue**. 
If
 validated, a JIRA ticket with the security flag set will be created for 
tracking

Reply via email to