The Vulnerability Management Team (VMT) has recently updated the vulnerability:managed policy[0] here, the key points are: - Softened our #5 policy from a hard requirement to a recommendation - Clarified that the VMT does not track external software components - Defined that a project must tag releases to qualify for VMT oversight, and that the VMT only deals with vulnerabilities in real releases (not pre-releases, release candidates, milestones...) - Private embargo's shall not last more than 90 days, except under unusual circumstances With the VMT policy changes[0] merged, we have also updated the VMT process document[1] to match. The biggest change to note is the new 90 day embargo limit: "If a report is held in embargo for 90 days without a fix, or significant details of the report are disclosed in a public venue, the embargo is terminated by a VMT coordinator at that time and subsequent process switches to the public report workflow instead." We'll be updating all current private reports to let participants know that there is a 90-day deadline (from when we update the report) to make those reports public. [0] https://review.opendev.org/#/c/678426/ [1] https://security.openstack.org/vmt-process.html