potiuk commented on PR #13293:
URL: https://github.com/apache/cloudstack/pull/13293#issuecomment-4883253904

   Thanks `DaanHoogland` — nothing outstanding on our side, so this is ready to 
merge whenever you and `vishesh92` are happy. All of your and Vishesh's review 
is folded in, the `AGENTS.md → SECURITY.md → THREAT_MODEL.md` chain resolves, 
and the one open item (Q37 — a few recurring "not a vuln" patterns from your 
`security@` triage for the §11a suppression list) is an optional nice-to-have, 
not a blocker. The red check is the `test_mm_*_limits` integration test, 
unrelated to this docs-only PR.
   
   On "the new flow of sec issues" — assuming you mean what happens once this 
lands: merging completes pre-flight, so CloudStack enters the scan queue at its 
criticality rank. When the scan runs, the findings come back to your three 
designated recipients (dahn@, rohit@, vishesh@) verbatim, for the PMC to triage 
against this very threat model — the §13 disposition table is what turns each 
finding into VALID / hardening / out-of-model. That's the "new flow." If you 
meant something else, let me know and I'll point you at the right place.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to