John, for bugs under embargo, we do notify stakeholders before disclosure, it's part of the vulnerability management process. Though there is no mailing list, it's a simple recipient list maintained by the VMT.
However for this bug we still need:
* patch (for master and impacted stable branchs) to be reviewed and approved
* impact description to be approved
* CVE (to be requested with the approved impact description)
Then we can move on to choosing a proper disclosure date and send the advance notification.
John, for bugs under embargo, we do notify stakeholders before disclosure, it's part of the vulnerability management process. Though there is no mailing list, it's a simple recipient list maintained by the VMT.
However for this bug we still need:
* patch (for master and impacted stable branchs) to be reviewed and approved
* impact description to be approved
* CVE (to be requested with the approved impact description)
Then we can move on to choosing a proper disclosure date and send the advance notification.