Comment 5 for bug 1534652

If the issue described here is already considered public knowledge or has been discussed in modest detail in a public venue, then we should switch the report to either Public Security (or just Public it doesn't seem like something for which we'd issue a security advisory). If this issue is not yet publicly known, then the VMT generally leaves it up to the bug reporter and security reviewers for the affected project(s) to determine whether the risk is significant enough to require any embargo period.