Comment 9 for bug 1787214

Ken: The process recommended by the OpenStack Vulnerability Management Team is documented at https://security.openstack.org/vmt-process.html (though since oslo.log and oslo.messaging haven't applied for VMT oversight they're not necessarily obliged to follow the timeline described there).