Comment 1 for bug 2030976

I've added a "won't fix" security advisory task for now as a formality, since reports of suspected vulnerabilities are not officially overseen by the OpenStack Vulnerability Management Team: https://security.openstack.org/repos-overseen.html

I'm still happy to provide guidance on behalf of the VMT on a best-effort basis.