SECURITY.md: don't impose normal process for low severity issues

author Daiki Ueno <ueno@gnu.org>

Sat, 28 Mar 2026 08:00:09 +0000 (17:00 +0900)

committer Daiki Ueno <ueno@gnu.org>

Sun, 29 Mar 2026 00:18:50 +0000 (09:18 +0900)
author Daiki Ueno <ueno@gnu.org>
Sat, 28 Mar 2026 08:00:09 +0000 (17:00 +0900)
committer Daiki Ueno <ueno@gnu.org>
Sun, 29 Mar 2026 00:18:50 +0000 (09:18 +0900)
diff --git a/SECURITY.md b/SECURITY.md

index 4a28e9231e0e4622d97bf14b7f6be689e0214217..f1b1b0fde4a13f29f942cc65c904d59ba365d9ba 100644 (file)
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -10,8 +10,9 @@ issue.
  
  A metric we consult to assessing security vulnerabilities is
  the [CVSS](https://www.first.org/cvss) metric. Only vulnerabilities
-at the high or critical level are handled with this process. Other
-issues are handled with the normal release process.
+at the high or critical level are handled with this process.
+Issues of lower severity are managed separately, often with different
+estimated times of arrival (ETAs) and backport targets.
  
  Some of the bundled programs, including gnutls-cli and gnutls-serv,
  are for testing and diagnostic purposes. Issues reported against those
author	Daiki Ueno <ueno@gnu.org>
	Sat, 28 Mar 2026 08:00:09 +0000 (17:00 +0900)
committer	Daiki Ueno <ueno@gnu.org>
	Sun, 29 Mar 2026 00:18:50 +0000 (09:18 +0900)