The Vulnerability Management Team (VMT) has recently updated the vulnerability:managed policy[0] here, the key points are:
- Softened our #5 policy from a hard requirement to a recommendation
- Clarified that the VMT does not track external software components
- Defined that a project must tag releases to qualify for VMT oversight, and that the VMT only deals with vulnerabilities in real releases (not pre-releases, release candidates, milestones...)
- Private embargo's shall not last more than 90 days, except under unusual circumstances
With the VMT policy changes[0] merged, we have also updated the VMT process document[1]
to match. The biggest change to note is the new 90 day embargo limit:
"If a report is held in embargo for 90 days without a fix, or significant details of the report
are disclosed in a public venue, the embargo is terminated by a VMT coordinator at that
time and subsequent process switches to the public report workflow instead."
We'll be updating all current private reports to let participants know that there is a 90-day deadline (from when we update the report) to make those reports public.