Comment 9 for bug 1380669

For past bug reports, we've not knowingly issued advisories when guessing another tenant's resource UUID is a required component of the exploit. On the other hand, a bug which leaks information about such UUIDs or otherwise makes them easier for an attacker to guess would require an advisory.

Unless anyone disagrees or has new details to provide about this issue, I propose we treat it as class C1 https://wiki.openstack.org/wiki/Vulnerability_Management#Incident_report_taxonomy and switch the report to public on Thursday, January 29.