Comment 24 for bug 1554288

If it ends up being agreed upon as C1 (or anything other than class A) there won't be an OpenStack Security Advisory and the OpenStack Vulnerability Management Team won't request a CVE. It's possible the OpenStack Security Notes editors will publish some information on it, in which case it will be up to them to include credit for the discovery. Anyone can request a CVE for tracking this once it's public, even if the VMT does not deem it a practical vulnerability.

Anyway, given the low risk/impact of the reported issue, I recommend making this public by the end of the week unless there are any objections.