> So where do we start? > > I guess a good point is to refer everyone to > http://fedoraproject.org/wiki/Extras/Schedule/SecurityPolicy and get some > discussion going on that I've looked that document over in the past. I admit the times at the end chart scare me. That's a fairly complicated chart. Within Red Hat there was discussion about how to best classify security issues, this is what we came up with: http://www.redhat.com/security/updates/classification/ When one has to classify security threats, less is more. I would suggest something more along these lines: Critical: Don't bother waiting for the maintainer, do whatever it takes to fix it. Important: A few days. Moderate: A few weeks. Low: A few months. -- JB
