<div class="markdown">
<p dir="auto">I'd like to lengthen the embargo window on CVE disclosures.</p>
<p dir="auto">Currently, the process is this (<a href="https://security.openstack.org/vmt-process.html):">https://security.openstack.org/vmt-process.html):</a></p>
<ol>
<li value=1>A security bug is reported (and confirmed as valid)</li>
<li value=2>A patch is developed an reviewed</li>
<li value=3>After the proposed fix is approved by reviewers, A CVE is filed</li>
<li value=4>3-5 business days later, the vulnerability is disclosed publicly and the patches are landed upstream</li>
</ol>
<p dir="auto">The problem as I see it is that the 3 to 5 day embargo is way too short. Specifically, for those supporting OpenStack projects in a product, the short embargo does not allow sufficient time for applying, testing, and staging the fix in time for the disclosure. This leaves end-users and deployers with the situation of having a publicly announced security vulnerability without any hope of having a fix.</p>
<p dir="auto">I would like the embargo period to be lengthened to be 2 weeks.</p>
<p dir="auto">--John</p>
</div>