[Secure-testing-commits] r56743 - doc/security-team.d.o

[Raphael Geissert]

Author: geissert
Date: 2017-10-16 10:23:49 +0000 (Mon, 16 Oct 2017)
New Revision: 56743

Modified:
   doc/security-team.d.o/security_tracker
Log:
corrections related to CVE id requests and an obsolete note


Modified: doc/security-team.d.o/security_tracker
===================================================================
--- doc/security-team.d.o/security_tracker	2017-10-16 10:01:11 UTC (rev 56742)
+++ doc/security-team.d.o/security_tracker	2017-10-16 10:23:49 UTC (rev 56743)
@@ -441,9 +441,8 @@
 
 ### Vulnerabilities without an assigned CVE id
 
-If you learn of a vulnerability to which no CVE id has been assigned yet, you can request one.
-To request a CVE for public issues, you can
-[write to the moderated oss-security list](https://github.com/RedHatProductSecurity/CVE-HOWTO).
+If you learn of a vulnerability to which no CVE id has been assigned yet, you can
+[request one](https://github.com/RedHatProductSecurity/CVE-HOWTO).
 In the meantime, you can add an entry of the form
 
     CVE-2009-XXXX [optipng array overflow]
@@ -468,6 +467,10 @@
 <team at security.debian.org> and include a description which follows CVE
 conventions.
 
+The vulnerabilities must be announced at a later point.  This is a
+requirement by MITRE and can be fulfilled by, for instance, sending an
+announcement to the [oss-security mailing list](glossary.html#oss-sec).
+
 Distribution tags
 -----------------
 
@@ -549,9 +552,7 @@
 is added like this to `DSA/list` is parsed by a script and automatically
 added to `CVE/list`.  The next lines contain the fixes for stable and
 optionally oldstable, addressed with distribution tags.  You may add
-`NOTE:` entries freely, we use a `NOTE` entry for statistical purposes
-that tracks when a fix has reached testing relative to the time when
-it hit stable.
+`NOTE:` entries freely.
 
 There is no need to add anything to `CVE/list` for a DSA, the DSA
 cross-reference will be added automatically by the cron job. However,