Hi. I'm a contributor to Open vSwitch. Over in OVS, we're forming a vulnerability management process, modeled on the one used in OpenStack described at https://wiki.openstack.org/wiki/Vulnerability_Management. We're trying to figure out what criteria to use for deciding what companies or organizations qualify as downstream stakeholders. Can anyone tell us what criteria or policy OpenStack uses? Thanks, Ben.