If the Neutron security reviewers don't consider this to be a severe enough exploit risk to warrant privately notifying operators and distributors prior to public disclosure, we could simply switch the report to public now and just follow OpenStack's normal code review and testing workflow instead of bothering with attaching patches to the bug and trying to test locally in secret.
If the Neutron security reviewers don't consider this to be a severe enough exploit risk to warrant privately notifying operators and distributors prior to public disclosure, we could simply switch the report to public now and just follow OpenStack's normal code review and testing workflow instead of bothering with attaching patches to the bug and trying to test locally in secret.