Comment 10 for bug 1823200

It was meant to read "will be made public by or on that date EVEN if no fix is identified" since the policy change linked in my accompanying comment says:

    Embargoes for privately-reported vulnerabilities shall not last
    more than 90 days, except under unusual circumstances. Following
    the embargo expiration, reports will be publicly visible
    regardless of whether an advisory has been issued.

(now published at https://governance.openstack.org/tc/reference/tags/vulnerability_managed.html#requirements )

We also don't have any process identified for notifying consumers privately to make configuration changes; our OSSA process is focused on applying patches since the primary audience is downstream package maintainers for distributions (though we do have some large public cloud operators subscribed to receive advance copies of those patches for evaluation as well). In the past our policy for fixes requiring configuration changes has been to make them public as quickly as possible so that all operators/users can apply mitigations sooner.

That said, the embargo expiration policy does carve out an exception for "unusual circumstances" and we could attempt to reuse our pre-OSSA notification channel for OSSN guidance (I think it's been done once, several years ago). I still wonder why we need an exception here, since the report sat ignored for 10 months and saw no activity until it was nearing the new embargo expiration. If it wasn't critical enough for anyone to even comment on for nearly a year, is it really so critical that we need to continue to keep it a secret now? And if so, how long past May 27 do you propose extending it the embargo? Three days? A week?