Clarify what announcements may be made by to service users

author Ian Jackson <ijackson@chiark.greenend.org.uk>

Fri, 16 Jan 2015 19:51:21 +0000 (19:51 +0000)

committer Ian Jackson <Ian.Jackson@eu.citrix.com>

Mon, 19 Jan 2015 17:53:39 +0000 (17:53 +0000)
author Ian Jackson <ijackson@chiark.greenend.org.uk>
Fri, 16 Jan 2015 19:51:21 +0000 (19:51 +0000)
committer Ian Jackson <Ian.Jackson@eu.citrix.com>
Mon, 19 Jan 2015 17:53:39 +0000 (17:53 +0000)
diff --git a/security_vulnerability_process.html b/security_vulnerability_process.html

index 741265252c033e0120f81d6d92f21f28184d7741..3b9c1bac9a6a87d2c0b7f7156c866fb5a701a22b 100644 (file)
--- a/security_vulnerability_process.html
+++ b/security_vulnerability_process.html
@@ -222,6 +222,14 @@ restrictions only insofar as it is necessary to prevent the exposure
  of technicalities (for example, differences in behaviour) which
  present a significant risk of rediscovery of the vulnerability.  Such
  situations are expected to be rare.</p>
+<p>Where the list member is a service provider who intends to take
+disruptive action such as rebooting as part of deploying a fix: the
+list member's communications to its users about the service disruption
+may mention that the disruption is to correct a security issue, and
+relate it to the public information about the issue (as listed above).
+This applies whether the deployment occurs during the embargo (with
+permission - see above) or is planned for after the end of the
+embargo.</p>
  <p><em>NOTE:</em> Prior v2.2 of this policy (25 June 2014) it was
  permitted to also make available the allocated CVE number. This is no
  longer permitted in accordance with MITRE policy.</p>
author	Ian Jackson <ijackson@chiark.greenend.org.uk>
	Fri, 16 Jan 2015 19:51:21 +0000 (19:51 +0000)
committer	Ian Jackson <Ian.Jackson@eu.citrix.com>
	Mon, 19 Jan 2015 17:53:39 +0000 (17:53 +0000)