Comment 7 for bug 1620629

Yes, the VMT recommends only attaching patches for security issues to the bug until it's made public, so we don't usually run into this for vulnerability:managed projects:

https://security.openstack.org/vmt-process.html#reception-embargo-reminder-private-issues

Bug-linking automation in our CI can't find private bugs in Launchpad, but if you're going to push a fix for a vulnerability to public code review it makes a lot of sense to switch the report to public security before doing so anyway. Also, even if this bug were public, the bug-linking automation would fail to find it because the reported task is currently for neutron but the change referencing it is pushed to octavia instead, so you'll want to fix that as well.

Now that there's a change in code review that claims to be security-relevant and refers directly to a bug most people will find they're unable to read, the issue is pretty clearly disclosed. Better to go ahead and switch this to public security or public depending on whether you consider it an exploitable vulnerability or not.