raboof commented on code in PR #437: URL: https://github.com/apache/cloudstack-www/pull/437#discussion_r3362997560
########## src/pages/security.md: ########## @@ -39,12 +39,16 @@ team](https://www.apache.org/security/) via email to vulnerability, how it might be exploited, and any additional information that might be useful. -Upon notification, the ASF security team will work with the CloudStack PMC -through validation and fixing the issue. If the issue is validated, it generally -takes 2-4 weeks from notification to public announcement of the vulnerability. -During this time, the team will communicate with you as they proceed through the -response procedure, and ask that the issue not be announced before an -agreed-upon date. +Upon notification, the ASF security team will work with the CloudStack +PMC through validation and fixing the issue. If the issue is +validated, it will still take time to fix the issue. The amount of +time depends on the availability of volunteers and number people +involved that have a stake in the issue. In later years it has turned Review Comment: It might make sense to mention that the round-trip time also depends on the severity of the issue? Hopefully severe issues won't be open for six months ;) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
