)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"d04de53d52571abcd67a08c4fdf65ebb0972a3e8","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"3c90594a_cc39800b","updated":"2026-03-26 18:58:52.000000000","message":"Text is good; formatting suggestion noted inline.","commit_id":"62efc7576649a14dac1ca202041c95dffe77e36d"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"fccd1ce8d24bfc2c281b5a3b14d2566fb6913414","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"5223fa87_d67ea064","updated":"2026-03-27 13:33:05.000000000","message":"I\u0027ll be interested to see what others think.  I\u0027ve got no objection to the content, but I wonder whether we need both the table and this new list.  (The alternative would be to beef up the \"Description\" column in the table, though on the other hand, you don\u0027t want to jam too much info into a table.)  But I think the table is useful as a quick reference, so I can see why you didn\u0027t replace it.","commit_id":"c5edce6975f265d210428d4f85d878d554bbaf08"}],"doc/source/vmt-process.rst":[{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"d04de53d52571abcd67a08c4fdf65ebb0972a3e8","unresolved":true,"context_lines":[{"line_number":337,"context_line":""},{"line_number":338,"context_line":"Classification Details"},{"line_number":339,"context_line":"^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":340,"context_line":""},{"line_number":341,"context_line":"**Class A — OSSA (OpenStack Security Advisory)**"},{"line_number":342,"context_line":"A confirmed, exploitable vulnerability in production OpenStack code"},{"line_number":343,"context_line":"for which a complete fix exists and can be backported to all"}],"source_content_type":"text/x-rst","patch_set":1,"id":"faf2e925_8331add3","line":340,"updated":"2026-03-26 18:58:52.000000000","message":"nit: this entire section could be formatted as a description list (though I don\u0027t know if anyone cares about the semantic web anymore).","commit_id":"62efc7576649a14dac1ca202041c95dffe77e36d"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"b6c0f957756e9e0063f89db462106ce67ccb2e6b","unresolved":true,"context_lines":[{"line_number":337,"context_line":""},{"line_number":338,"context_line":"Classification Details"},{"line_number":339,"context_line":"^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":340,"context_line":""},{"line_number":341,"context_line":"**Class A — OSSA (OpenStack Security Advisory)**"},{"line_number":342,"context_line":"A confirmed, exploitable vulnerability in production OpenStack code"},{"line_number":343,"context_line":"for which a complete fix exists and can be backported to all"}],"source_content_type":"text/x-rst","patch_set":1,"id":"725eaefd_d6f61ac0","line":340,"in_reply_to":"faf2e925_8331add3","updated":"2026-04-03 19:52:14.000000000","message":"yeah! we should listify this;","commit_id":"62efc7576649a14dac1ca202041c95dffe77e36d"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"84190a636431949b12de4a703fd438b5b26e5bd6","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"41459a63_0949fa30","in_reply_to":"faf2e925_8331add3","updated":"2026-03-26 19:56:26.000000000","message":"Thanks Brian, I agree. I fixed up the formatting to do that.","commit_id":"c5edce6975f265d210428d4f85d878d554bbaf08"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"38fffbf3fc7d4cf244286d22281870ffafc2e999","unresolved":false,"context_lines":[{"line_number":291,"context_line":""},{"line_number":292,"context_line":"The VMT uses this classification system to triage vulnerability"},{"line_number":293,"context_line":"reports and determine the appropriate response. Not every security"},{"line_number":294,"context_line":"bug report results in a formal advisory — the classification helps"},{"line_number":295,"context_line":"reporters and project teams understand why a particular outcome was"},{"line_number":296,"context_line":"chosen."},{"line_number":297,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"6e9d03fc_918ed1af","line":294,"updated":"2026-04-02 16:43:22.000000000","message":"Nit: I recommend avoiding unnecessary extended Unicode glyphs like em-dash in RST, a semicolon (;) would be more appropriate here. Overuse of em-dashes is also an \"LLM smell\" these days, and makes it feel like it was AI-written, losing some of the document\u0027s human touch.","commit_id":"c5edce6975f265d210428d4f85d878d554bbaf08"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"4d9707bb6c2dc2f255fd731ae2a09c2bd3a33dc7","unresolved":true,"context_lines":[{"line_number":291,"context_line":""},{"line_number":292,"context_line":"The VMT uses this classification system to triage vulnerability"},{"line_number":293,"context_line":"reports and determine the appropriate response. Not every security"},{"line_number":294,"context_line":"bug report results in a formal advisory — the classification helps"},{"line_number":295,"context_line":"reporters and project teams understand why a particular outcome was"},{"line_number":296,"context_line":"chosen."},{"line_number":297,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"b1b81ffc_c171baf3","line":294,"in_reply_to":"3c73fca1_cc2cfd8c","updated":"2026-04-02 18:50:17.000000000","message":"It\u0027s not so much about writing style, it\u0027s that most people\u0027s keyboards lack an em-dash key, few people know to use or are even set up with compose key macros to be able to type them at all, and in rST Sphinx documentation you\u0027re better off us a triple-hyphen (similar with popular Markdown rendering engines), so when you see plain text files with em-dashes these days it\u0027s an indication that the text was likely copied and pasted from an LLM\u0027s output (which for unfathomable reasons seem to love to use em-dashes everywhere even in otherwise plain text files).","commit_id":"c5edce6975f265d210428d4f85d878d554bbaf08"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"3f4a0eca63e7a506e7c74a62006eda649635b865","unresolved":false,"context_lines":[{"line_number":291,"context_line":""},{"line_number":292,"context_line":"The VMT uses this classification system to triage vulnerability"},{"line_number":293,"context_line":"reports and determine the appropriate response. Not every security"},{"line_number":294,"context_line":"bug report results in a formal advisory — the classification helps"},{"line_number":295,"context_line":"reporters and project teams understand why a particular outcome was"},{"line_number":296,"context_line":"chosen."},{"line_number":297,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"7c6a8b14_1a262c59","line":294,"in_reply_to":"48a033b5_f69417d0","updated":"2026-04-07 15:49:52.000000000","message":"For the record; I am enough of a weirdo to copy+paste in non-keyboard characters at times ಠ_ಠ \n\n😄","commit_id":"c5edce6975f265d210428d4f85d878d554bbaf08"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"d984ecf3fc2bedb75c8854185795478f0cd17128","unresolved":true,"context_lines":[{"line_number":291,"context_line":""},{"line_number":292,"context_line":"The VMT uses this classification system to triage vulnerability"},{"line_number":293,"context_line":"reports and determine the appropriate response. Not every security"},{"line_number":294,"context_line":"bug report results in a formal advisory — the classification helps"},{"line_number":295,"context_line":"reporters and project teams understand why a particular outcome was"},{"line_number":296,"context_line":"chosen."},{"line_number":297,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"3c73fca1_cc2cfd8c","line":294,"in_reply_to":"6e9d03fc_918ed1af","updated":"2026-04-02 17:58:19.000000000","message":"I don\u0027t care if we use an em-dash or semicolon for grammar reasons; but I do think it\u0027s demoralizing in it\u0027s own way to modify your own personal writing style to avoid sounding like an LLM.","commit_id":"c5edce6975f265d210428d4f85d878d554bbaf08"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"b6c0f957756e9e0063f89db462106ce67ccb2e6b","unresolved":false,"context_lines":[{"line_number":291,"context_line":""},{"line_number":292,"context_line":"The VMT uses this classification system to triage vulnerability"},{"line_number":293,"context_line":"reports and determine the appropriate response. Not every security"},{"line_number":294,"context_line":"bug report results in a formal advisory — the classification helps"},{"line_number":295,"context_line":"reporters and project teams understand why a particular outcome was"},{"line_number":296,"context_line":"chosen."},{"line_number":297,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"48a033b5_f69417d0","line":294,"in_reply_to":"b1b81ffc_c171baf3","updated":"2026-04-03 19:52:14.000000000","message":"\u003e demoralizing in it\u0027s own way to modify your own personal writing style to avoid sounding like an LLM.\n\ni honestly echo this with a sigh :) I am not an English major, and don\u0027t want to  consider myself a native-english speaker. I can\u0027t even qualify what my writing style is, maybe there\u0027s an influence of 7 languages blending in my brain. Of late, I do use AI to fix my typos and grammar often. However, I loved to use em-dashes all along, and now I feel terrible about it being an \"AI Tell\". \n\n\nI\u0027ll fix this up though, maybe a semicolon, or even a period won\u0027t change how someone reads this.","commit_id":"c5edce6975f265d210428d4f85d878d554bbaf08"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"38fffbf3fc7d4cf244286d22281870ffafc2e999","unresolved":false,"context_lines":[{"line_number":338,"context_line":"Classification Details"},{"line_number":339,"context_line":"^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":340,"context_line":""},{"line_number":341,"context_line":"Class A — OSSA (OpenStack Security Advisory)"},{"line_number":342,"context_line":"   A confirmed, exploitable vulnerability in production OpenStack code"},{"line_number":343,"context_line":"   for which a complete fix exists and can be backported to all"},{"line_number":344,"context_line":"   supported stable branches. Class A issues receive a formal security"}],"source_content_type":"text/x-rst","patch_set":2,"id":"bbf78a25_57cbdc95","line":341,"updated":"2026-04-02 16:43:22.000000000","message":"Nit: Here I\u0027d use a colon (:) instead of an em-dash. Similar recommendations for the further occurrences below: colons, semicolons and parenthetical expressions are preferable punctuation. If a situation really calls for it (which is rare) you can use a double-dash (--) for en-dash or a triple-dash (---) for em-dash, and Sphinx will convert them to the corresponding Unicode glyphs at build time.","commit_id":"c5edce6975f265d210428d4f85d878d554bbaf08"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"b6c0f957756e9e0063f89db462106ce67ccb2e6b","unresolved":false,"context_lines":[{"line_number":338,"context_line":"Classification Details"},{"line_number":339,"context_line":"^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":340,"context_line":""},{"line_number":341,"context_line":"Class A — OSSA (OpenStack Security Advisory)"},{"line_number":342,"context_line":"   A confirmed, exploitable vulnerability in production OpenStack code"},{"line_number":343,"context_line":"   for which a complete fix exists and can be backported to all"},{"line_number":344,"context_line":"   supported stable branches. Class A issues receive a formal security"}],"source_content_type":"text/x-rst","patch_set":2,"id":"d7aa8138_c82e4929","line":341,"in_reply_to":"bbf78a25_57cbdc95","updated":"2026-04-03 19:52:14.000000000","message":"Colon sounds better, ty!","commit_id":"c5edce6975f265d210428d4f85d878d554bbaf08"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"38fffbf3fc7d4cf244286d22281870ffafc2e999","unresolved":false,"context_lines":[{"line_number":342,"context_line":"   A confirmed, exploitable vulnerability in production OpenStack code"},{"line_number":343,"context_line":"   for which a complete fix exists and can be backported to all"},{"line_number":344,"context_line":"   supported stable branches. Class A issues receive a formal security"},{"line_number":345,"context_line":"   advisory (OSSA), a CVE identifier, and coordinated disclosure. This"},{"line_number":346,"context_line":"   is the most serious classification."},{"line_number":347,"context_line":""},{"line_number":348,"context_line":"Class B1 — OSSN (Security Note)"}],"source_content_type":"text/x-rst","patch_set":2,"id":"5aec2802_f4807ae4","line":345,"updated":"2026-04-02 16:43:22.000000000","message":"Maybe say \"...CVE identifier obtained by the VMT...\" to make it clear that we get them directly ourselves for this class.","commit_id":"c5edce6975f265d210428d4f85d878d554bbaf08"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"b6c0f957756e9e0063f89db462106ce67ccb2e6b","unresolved":false,"context_lines":[{"line_number":342,"context_line":"   A confirmed, exploitable vulnerability in production OpenStack code"},{"line_number":343,"context_line":"   for which a complete fix exists and can be backported to all"},{"line_number":344,"context_line":"   supported stable branches. Class A issues receive a formal security"},{"line_number":345,"context_line":"   advisory (OSSA), a CVE identifier, and coordinated disclosure. This"},{"line_number":346,"context_line":"   is the most serious classification."},{"line_number":347,"context_line":""},{"line_number":348,"context_line":"Class B1 — OSSN (Security Note)"}],"source_content_type":"text/x-rst","patch_set":2,"id":"c7fa3f5a_4b13114d","line":345,"in_reply_to":"5aec2802_f4807ae4","updated":"2026-04-03 19:52:14.000000000","message":"++","commit_id":"c5edce6975f265d210428d4f85d878d554bbaf08"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"38fffbf3fc7d4cf244286d22281870ffafc2e999","unresolved":false,"context_lines":[{"line_number":345,"context_line":"   advisory (OSSA), a CVE identifier, and coordinated disclosure. This"},{"line_number":346,"context_line":"   is the most serious classification."},{"line_number":347,"context_line":""},{"line_number":348,"context_line":"Class B1 — OSSN (Security Note)"},{"line_number":349,"context_line":"   A real vulnerability, but the fix can only be applied to the master"},{"line_number":350,"context_line":"   branch — it cannot be backported to stable releases. For example,"},{"line_number":351,"context_line":"   fixing the issue requires changing a default configuration value"}],"source_content_type":"text/x-rst","patch_set":2,"id":"e066a630_05905838","line":348,"updated":"2026-04-02 16:43:22.000000000","message":"\"OSSN (OpenStack Security Note)\"","commit_id":"c5edce6975f265d210428d4f85d878d554bbaf08"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"b6c0f957756e9e0063f89db462106ce67ccb2e6b","unresolved":false,"context_lines":[{"line_number":345,"context_line":"   advisory (OSSA), a CVE identifier, and coordinated disclosure. This"},{"line_number":346,"context_line":"   is the most serious classification."},{"line_number":347,"context_line":""},{"line_number":348,"context_line":"Class B1 — OSSN (Security Note)"},{"line_number":349,"context_line":"   A real vulnerability, but the fix can only be applied to the master"},{"line_number":350,"context_line":"   branch — it cannot be backported to stable releases. For example,"},{"line_number":351,"context_line":"   fixing the issue requires changing a default configuration value"}],"source_content_type":"text/x-rst","patch_set":2,"id":"8e5d2583_5d823c8a","line":348,"in_reply_to":"e066a630_05905838","updated":"2026-04-03 19:52:14.000000000","message":"Done","commit_id":"c5edce6975f265d210428d4f85d878d554bbaf08"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"d984ecf3fc2bedb75c8854185795478f0cd17128","unresolved":true,"context_lines":[{"line_number":351,"context_line":"   fixing the issue requires changing a default configuration value"},{"line_number":352,"context_line":"   that would break backwards compatibility. Stable branch users"},{"line_number":353,"context_line":"   receive a security note (OSSN) describing the risk and any"},{"line_number":354,"context_line":"   available workarounds."},{"line_number":355,"context_line":""},{"line_number":356,"context_line":"Class B2 — OSSN"},{"line_number":357,"context_line":"   A real vulnerability, but no complete fix is available. The issue"}],"source_content_type":"text/x-rst","patch_set":2,"id":"5ff65ec6_aa6c2cb1","line":354,"updated":"2026-04-02 17:58:19.000000000","message":"I don\u0027t know if this is worth noting as a \"policy\", but in Ironic we\u0027ve backported security fixes that modify behavior hidden behind a default-off config.","commit_id":"c5edce6975f265d210428d4f85d878d554bbaf08"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"b6c0f957756e9e0063f89db462106ce67ccb2e6b","unresolved":true,"context_lines":[{"line_number":351,"context_line":"   fixing the issue requires changing a default configuration value"},{"line_number":352,"context_line":"   that would break backwards compatibility. Stable branch users"},{"line_number":353,"context_line":"   receive a security note (OSSN) describing the risk and any"},{"line_number":354,"context_line":"   available workarounds."},{"line_number":355,"context_line":""},{"line_number":356,"context_line":"Class B2 — OSSN"},{"line_number":357,"context_line":"   A real vulnerability, but no complete fix is available. The issue"}],"source_content_type":"text/x-rst","patch_set":2,"id":"9552bc7b_70bb6c53","line":354,"in_reply_to":"4b068392_b3ebfdcc","updated":"2026-04-03 19:52:14.000000000","message":"I see. Is it worth noting this sort of resolution or leave it up to the maintainers\u0027 judgement?","commit_id":"c5edce6975f265d210428d4f85d878d554bbaf08"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"aa9b97360fe09dbfec9abb236e0eca374da2bd62","unresolved":true,"context_lines":[{"line_number":351,"context_line":"   fixing the issue requires changing a default configuration value"},{"line_number":352,"context_line":"   that would break backwards compatibility. Stable branch users"},{"line_number":353,"context_line":"   receive a security note (OSSN) describing the risk and any"},{"line_number":354,"context_line":"   available workarounds."},{"line_number":355,"context_line":""},{"line_number":356,"context_line":"Class B2 — OSSN"},{"line_number":357,"context_line":"   A real vulnerability, but no complete fix is available. The issue"}],"source_content_type":"text/x-rst","patch_set":2,"id":"4b068392_b3ebfdcc","line":354,"in_reply_to":"5ff65ec6_aa6c2cb1","updated":"2026-04-02 18:55:24.000000000","message":"And in cases where this happens, it has normally made sense to have an OSSN (not an OSSA) because the operator needs to do more than apply the fix, they also need to turn on the security feature.","commit_id":"c5edce6975f265d210428d4f85d878d554bbaf08"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"3f4a0eca63e7a506e7c74a62006eda649635b865","unresolved":true,"context_lines":[{"line_number":351,"context_line":"   fixing the issue requires changing a default configuration value"},{"line_number":352,"context_line":"   that would break backwards compatibility. Stable branch users"},{"line_number":353,"context_line":"   receive a security note (OSSN) describing the risk and any"},{"line_number":354,"context_line":"   available workarounds."},{"line_number":355,"context_line":""},{"line_number":356,"context_line":"Class B2 — OSSN"},{"line_number":357,"context_line":"   A real vulnerability, but no complete fix is available. The issue"}],"source_content_type":"text/x-rst","patch_set":2,"id":"6f67ebbe_317cafa7","line":354,"in_reply_to":"9552bc7b_70bb6c53","updated":"2026-04-07 15:49:52.000000000","message":"I think there are people who will read this as a directive instead of general guidance. That\u0027s mainly where my concern comes from.","commit_id":"c5edce6975f265d210428d4f85d878d554bbaf08"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"38fffbf3fc7d4cf244286d22281870ffafc2e999","unresolved":false,"context_lines":[{"line_number":360,"context_line":"   risk and suggest mitigations until a longer-term solution is"},{"line_number":361,"context_line":"   developed."},{"line_number":362,"context_line":""},{"line_number":363,"context_line":"Class B3 — OSSN"},{"line_number":364,"context_line":"   A real vulnerability, but it exists in an experimental, debugging,"},{"line_number":365,"context_line":"   or technology-preview feature that is not intended for production"},{"line_number":366,"context_line":"   deployment. An OSSN may be published to advise operators who have"}],"source_content_type":"text/x-rst","patch_set":2,"id":"feb8f3e7_1cf94899","line":363,"updated":"2026-04-02 16:43:22.000000000","message":"Nit: We ought to make this one \"Potential OSSN\" (and correct the table above) since, as you correctly indicate here, we haven\u0027t typically issued them for class B3 reports. Usually it has to be a pretty serious or widely-used feature that people tend to turn on in production without thoroughly considering the risks.","commit_id":"c5edce6975f265d210428d4f85d878d554bbaf08"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"b6c0f957756e9e0063f89db462106ce67ccb2e6b","unresolved":false,"context_lines":[{"line_number":360,"context_line":"   risk and suggest mitigations until a longer-term solution is"},{"line_number":361,"context_line":"   developed."},{"line_number":362,"context_line":""},{"line_number":363,"context_line":"Class B3 — OSSN"},{"line_number":364,"context_line":"   A real vulnerability, but it exists in an experimental, debugging,"},{"line_number":365,"context_line":"   or technology-preview feature that is not intended for production"},{"line_number":366,"context_line":"   deployment. An OSSN may be published to advise operators who have"}],"source_content_type":"text/x-rst","patch_set":2,"id":"9fb0fff0_4d44c724","line":363,"in_reply_to":"feb8f3e7_1cf94899","updated":"2026-04-03 19:52:14.000000000","message":"Yes, makes sense. Done","commit_id":"c5edce6975f265d210428d4f85d878d554bbaf08"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"38fffbf3fc7d4cf244286d22281870ffafc2e999","unresolved":false,"context_lines":[{"line_number":370,"context_line":"   A reported issue that the VMT does not consider a practical,"},{"line_number":371,"context_line":"   exploitable vulnerability — for example, an attack that requires"},{"line_number":372,"context_line":"   implausible conditions or produces negligible impact. An external"},{"line_number":373,"context_line":"   party might still assign a CVE for it. A security note may be"},{"line_number":374,"context_line":"   published if the issue generates sufficient community discussion."},{"line_number":375,"context_line":""},{"line_number":376,"context_line":"Class C2 — Potential OSSN"}],"source_content_type":"text/x-rst","patch_set":2,"id":"1b972480_019f5044","line":373,"updated":"2026-04-02 16:43:22.000000000","message":"\"An external party might still assign a CVE, but it is not required and the VMT will not obtain one directly.\" However, this goes for other non-class-A reports as well. We don\u0027t control what other parties may or may not assign CVEs for, and historically don\u0027t challenge or request they be rejected except in cases where they contain obvious misinformation.","commit_id":"c5edce6975f265d210428d4f85d878d554bbaf08"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"b6c0f957756e9e0063f89db462106ce67ccb2e6b","unresolved":true,"context_lines":[{"line_number":370,"context_line":"   A reported issue that the VMT does not consider a practical,"},{"line_number":371,"context_line":"   exploitable vulnerability — for example, an attack that requires"},{"line_number":372,"context_line":"   implausible conditions or produces negligible impact. An external"},{"line_number":373,"context_line":"   party might still assign a CVE for it. A security note may be"},{"line_number":374,"context_line":"   published if the issue generates sufficient community discussion."},{"line_number":375,"context_line":""},{"line_number":376,"context_line":"Class C2 — Potential OSSN"}],"source_content_type":"text/x-rst","patch_set":2,"id":"4f351c69_60f6f223","line":373,"in_reply_to":"1b972480_019f5044","updated":"2026-04-03 19:52:14.000000000","message":"++ Added\n\nAlthough for Class A, i want to leave that information out and let us still take it up case-by-case. Wdyt?","commit_id":"c5edce6975f265d210428d4f85d878d554bbaf08"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"38fffbf3fc7d4cf244286d22281870ffafc2e999","unresolved":false,"context_lines":[{"line_number":389,"context_line":"Class E — Regular Bug"},{"line_number":390,"context_line":"   Neither a vulnerability nor a security hardening opportunity. The"},{"line_number":391,"context_line":"   report describes a normal software defect without security"},{"line_number":392,"context_line":"   implications. The OSSA task is closed as Won\u0027t Fix and the bug is"},{"line_number":393,"context_line":"   redirected to normal project bug triage."},{"line_number":394,"context_line":""},{"line_number":395,"context_line":"Class Y — Development Only"}],"source_content_type":"text/x-rst","patch_set":2,"id":"06091e21_c913f2d6","line":392,"updated":"2026-04-02 16:43:22.000000000","message":"Nit: It may be worth noting that we generally close all class B/C/D/Y as Won\u0027t Fix.","commit_id":"c5edce6975f265d210428d4f85d878d554bbaf08"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"b6c0f957756e9e0063f89db462106ce67ccb2e6b","unresolved":false,"context_lines":[{"line_number":389,"context_line":"Class E — Regular Bug"},{"line_number":390,"context_line":"   Neither a vulnerability nor a security hardening opportunity. The"},{"line_number":391,"context_line":"   report describes a normal software defect without security"},{"line_number":392,"context_line":"   implications. The OSSA task is closed as Won\u0027t Fix and the bug is"},{"line_number":393,"context_line":"   redirected to normal project bug triage."},{"line_number":394,"context_line":""},{"line_number":395,"context_line":"Class Y — Development Only"}],"source_content_type":"text/x-rst","patch_set":2,"id":"b57a857b_5735ed2a","line":392,"in_reply_to":"06091e21_c913f2d6","updated":"2026-04-03 19:52:14.000000000","message":"+1 noted.","commit_id":"c5edce6975f265d210428d4f85d878d554bbaf08"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"38fffbf3fc7d4cf244286d22281870ffafc2e999","unresolved":false,"context_lines":[{"line_number":402,"context_line":"   followed correctly — for example, if significant details of an"},{"line_number":403,"context_line":"   embargoed report were disclosed publicly before the advisory was"},{"line_number":404,"context_line":"   ready. This is not a vulnerability classification but a process"},{"line_number":405,"context_line":"   tracking category."},{"line_number":406,"context_line":""},{"line_number":407,"context_line":"How Classification Is Determined"},{"line_number":408,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"}],"source_content_type":"text/x-rst","patch_set":2,"id":"f7bb641a_6a076563","line":405,"updated":"2026-04-02 16:43:22.000000000","message":"This is an understandable misinterpretation of what was originally meant in the table. Z was originally our catch-all for anything that didn\u0027t fit into the other classes, mainly (but not exclusively) reports that weren\u0027t bugs at all like user error, misconfiguration, misunderstanding some documentation, or more recently LLM hallucinations. We don\u0027t have a classification for things like early embargo termination because the reports themselves are generally still falling into one of the other classes anyway, so that\u0027s not a distinct report class in my opinion.","commit_id":"c5edce6975f265d210428d4f85d878d554bbaf08"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"82aed5e2100b746ddf71625f2f2c0147fb5dd40f","unresolved":false,"context_lines":[{"line_number":402,"context_line":"   followed correctly — for example, if significant details of an"},{"line_number":403,"context_line":"   embargoed report were disclosed publicly before the advisory was"},{"line_number":404,"context_line":"   ready. This is not a vulnerability classification but a process"},{"line_number":405,"context_line":"   tracking category."},{"line_number":406,"context_line":""},{"line_number":407,"context_line":"How Classification Is Determined"},{"line_number":408,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"}],"source_content_type":"text/x-rst","patch_set":2,"id":"d22a131d_80d9a0f1","line":405,"in_reply_to":"cb035a48_8527a5ca","updated":"2026-04-03 19:52:33.000000000","message":"Done","commit_id":"c5edce6975f265d210428d4f85d878d554bbaf08"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"b6c0f957756e9e0063f89db462106ce67ccb2e6b","unresolved":true,"context_lines":[{"line_number":402,"context_line":"   followed correctly — for example, if significant details of an"},{"line_number":403,"context_line":"   embargoed report were disclosed publicly before the advisory was"},{"line_number":404,"context_line":"   ready. This is not a vulnerability classification but a process"},{"line_number":405,"context_line":"   tracking category."},{"line_number":406,"context_line":""},{"line_number":407,"context_line":"How Classification Is Determined"},{"line_number":408,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"}],"source_content_type":"text/x-rst","patch_set":2,"id":"cb035a48_8527a5ca","line":405,"in_reply_to":"f7bb641a_6a076563","updated":"2026-04-03 19:52:14.000000000","message":"Oh, this was my understanding from \"due process fail\". But I\u0027ll add the language about catch-all.","commit_id":"c5edce6975f265d210428d4f85d878d554bbaf08"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"38fffbf3fc7d4cf244286d22281870ffafc2e999","unresolved":false,"context_lines":[{"line_number":413,"context_line":""},{"line_number":414,"context_line":"1. **Is it a real vulnerability?** If the reported behavior does"},{"line_number":415,"context_line":"   not pose a security risk, it is classified as Class E (regular"},{"line_number":416,"context_line":"   bug) or Class D (hardening opportunity)."},{"line_number":417,"context_line":""},{"line_number":418,"context_line":"2. **Is it in OpenStack\u0027s own code?** If the vulnerability exists"},{"line_number":419,"context_line":"   in a dependency rather than OpenStack-maintained code, it is"}],"source_content_type":"text/x-rst","patch_set":2,"id":"e5976bc0_28230430","line":416,"updated":"2026-04-02 16:43:22.000000000","message":"Also possible that it\u0027s not a bug at all (per above discussion).","commit_id":"c5edce6975f265d210428d4f85d878d554bbaf08"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"82aed5e2100b746ddf71625f2f2c0147fb5dd40f","unresolved":false,"context_lines":[{"line_number":413,"context_line":""},{"line_number":414,"context_line":"1. **Is it a real vulnerability?** If the reported behavior does"},{"line_number":415,"context_line":"   not pose a security risk, it is classified as Class E (regular"},{"line_number":416,"context_line":"   bug) or Class D (hardening opportunity)."},{"line_number":417,"context_line":""},{"line_number":418,"context_line":"2. **Is it in OpenStack\u0027s own code?** If the vulnerability exists"},{"line_number":419,"context_line":"   in a dependency rather than OpenStack-maintained code, it is"}],"source_content_type":"text/x-rst","patch_set":2,"id":"c637cd7f_82ea68df","line":416,"in_reply_to":"8a019a98_15e61217","updated":"2026-04-03 19:52:33.000000000","message":"Done","commit_id":"c5edce6975f265d210428d4f85d878d554bbaf08"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"b6c0f957756e9e0063f89db462106ce67ccb2e6b","unresolved":true,"context_lines":[{"line_number":413,"context_line":""},{"line_number":414,"context_line":"1. **Is it a real vulnerability?** If the reported behavior does"},{"line_number":415,"context_line":"   not pose a security risk, it is classified as Class E (regular"},{"line_number":416,"context_line":"   bug) or Class D (hardening opportunity)."},{"line_number":417,"context_line":""},{"line_number":418,"context_line":"2. **Is it in OpenStack\u0027s own code?** If the vulnerability exists"},{"line_number":419,"context_line":"   in a dependency rather than OpenStack-maintained code, it is"}],"source_content_type":"text/x-rst","patch_set":2,"id":"8a019a98_15e61217","line":416,"in_reply_to":"e5976bc0_28230430","updated":"2026-04-03 19:52:14.000000000","message":"+1","commit_id":"c5edce6975f265d210428d4f85d878d554bbaf08"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"38fffbf3fc7d4cf244286d22281870ffafc2e999","unresolved":false,"context_lines":[{"line_number":428,"context_line":"   use, it is classified as Class B3. If it only exists in an"},{"line_number":429,"context_line":"   unreleased development branch, it is classified as Class Y."},{"line_number":430,"context_line":""},{"line_number":431,"context_line":"5. **Does a complete fix exist?** If no complete fix is available"},{"line_number":432,"context_line":"   due to architectural limitations, it is classified as Class B2."},{"line_number":433,"context_line":""},{"line_number":434,"context_line":"6. **Can the fix be backported to supported stable branches?** If"}],"source_content_type":"text/x-rst","patch_set":2,"id":"563158ad_c26883b6","line":431,"updated":"2026-04-02 16:43:22.000000000","message":"Maybe \"Is a complete fix possible?\" instead, since we tend to classify things before fixes exist regardless (though we may reclassify them over the lifetime of the report if circumstances or our understanding changes).","commit_id":"c5edce6975f265d210428d4f85d878d554bbaf08"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"b6c0f957756e9e0063f89db462106ce67ccb2e6b","unresolved":false,"context_lines":[{"line_number":428,"context_line":"   use, it is classified as Class B3. If it only exists in an"},{"line_number":429,"context_line":"   unreleased development branch, it is classified as Class Y."},{"line_number":430,"context_line":""},{"line_number":431,"context_line":"5. **Does a complete fix exist?** If no complete fix is available"},{"line_number":432,"context_line":"   due to architectural limitations, it is classified as Class B2."},{"line_number":433,"context_line":""},{"line_number":434,"context_line":"6. **Can the fix be backported to supported stable branches?** If"}],"source_content_type":"text/x-rst","patch_set":2,"id":"4b979417_7931ee6b","line":431,"in_reply_to":"563158ad_c26883b6","updated":"2026-04-03 19:52:14.000000000","message":"Done","commit_id":"c5edce6975f265d210428d4f85d878d554bbaf08"}]}