Comment 8 for bug 1213241

Ahh, yes, I would consider this a security vulnerability in unreleased software, fixed prior to official release. Given the class of vulneravility and limited potential points of exposure, coupled with the fact that we don't currently encourage continuous-deployment or milestone snapshots for production use cases, It's probably not necessary to issue an OSSA. CVEs are often enough assigned to pre-release/beta software versions if they're in wide use (where defining wide is left as an exercise for the reader), but I'd leave it up to the security group to decide whether they want to pursue a CVE assignment for it once the bug is opened up.