Comment 15 for bug 1654598

While openstack/manila is not a "vulnerability:managed" deliverable, if it were the OpenStack VMT would switch this bug to Public (not Public Security) and mark any security advisory task "won't fix" because per comment #1 exploiting this requires guessing or having some other means of obtaining random UUIDs for other tenants' resources. This sort of bug falls under report class C1 in our taxonomy: "Not considered a practical vulnerability (but some people might assign a CVE for it), e.g. one depending on UUID guessing" https://security.openstack.org/vmt-process.html#incident-report-taxonomy

Adding the "security" bug tag after making the bug Public will cause the security mailing list to get notified too, in case the Security Team want to draft a future note to document this risk.