Comment 6 for bug 1732294

Sure, it's better to be safe than sorry.

For the record we do not have (yet) a hard limit on the acceptable duration of report embargoes. In the event we open a bug report, it will have to go through an embargo-exception first, as explained here: https://security.openstack.org/vmt-process.html#embargo-exceptions

Also it's worth noting that vulnerability reporters retain final control over the disclosure of their findings. If for some reason they are uncomfortable with our process, their choice of disclosure terms prevails.

Thanks.