Comment 2 for bug 1687018

If this risk relies strictly on guessing or finding a victim's instance UUID through other means, then it's a class C1 report per our taxonomy and can be triaged as a potential hardening opportunity instead. https://security.openstack.org/vmt-process.html#incident-report-taxonomy

Since C1 implies the possibility of an OSSN, I'm also subscribing the ossg-coresec team to review it.