Comment 2 for bug 1915282

Just as a reminder, the VMT will only issue an advisory (OSSA) if an exploitable vulnerability is identified and code fixes for it are backported to supported stable branches. If there turns out to be the possibility of vulnerable production deployments where the best we can do is provide guidance to operators, then we should go ahead and switch this to a public report as soon as reasonable guidance has been drafted, for example in the form of a security note (OSSN), so as to get information into the hands of people who need it at the earliest opportunity.