Comment 5 for bug 1740950

In that case, I'll triage it as a Class Y ("only found in development release") report from the VMT's perspective. If it lingers past Queens release day, we can revisit the advisory task.

https://security.openstack.org/vmt-process.html#incident-report-taxonomy