If I understand correctly the worse case scenario here is a slightly deferred token invalidation, which I would not consider OSSA (advisory) material (could be considered "working as designed"). It is certainly OSSN (security note / documentation) material though.
Given the impact and in order to facilitate work on this, I propose we open this bug publicly.
I think I have a slight preference for option 1 + OSSN in the immediate future.
If I understand correctly the worse case scenario here is a slightly deferred token invalidation, which I would not consider OSSA (advisory) material (could be considered "working as designed"). It is certainly OSSN (security note / documentation) material though.
Given the impact and in order to facilitate work on this, I propose we open this bug publicly.
I think I have a slight preference for option 1 + OSSN in the immediate future.