From 75267d110b96b0c2551dc635d7202320b6b2c726 Mon Sep 17 00:00:00 2001
From: Jeremy Stanley <fungi@yuggoth.org>
Date: Wed, 9 Dec 2015 20:21:18 +0000
Subject: [PATCH] Add class B3 and an example for C1 to the taxonomy

Be more explicit that OSSA does not cover vulnerabilities in
experimental features, backends and drivers by adding a new class B3
for these in the taxonomy. Also clarify that vulnerabilities relying
on UUID guessing are considered impractical, as an example for class
C1.

Change-Id: Ie73dfb0358913e6bdfeba56e6105f8156382d042
---
 doc/source/vmt-process.rst | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/doc/source/vmt-process.rst b/doc/source/vmt-process.rst
index 1ca0bf4..a72a464 100644
--- a/doc/source/vmt-process.rst
+++ b/doc/source/vmt-process.rst
@@ -183,9 +183,13 @@ warrant an advisory.
 |          |           | yet, security note for all versions,      |
 |          |           | e.g., poor architecture / design          |
 +----------+-----------+-------------------------------------------+
+| Class B3 | OSSN      | A vulnerability in experimental or        |
+|          |           | debugging features not intended for       |
+|          |           | production use                            |
++----------+-----------+-------------------------------------------+
 | Class C1 | Potential | Not considered a practical vulnerability  |
 |          | OSSN      | (but some people might assign a CVE for   |
-|          |           | it)                                       |
+|          |           | it), e.g. one depending on UUID guessing  |
 +----------+-----------+-------------------------------------------+
 | Class C2 | Potential | A vulnerability, but not in OpenStack     |
 |          | OSSN      | supported code, e.g., in a dependency     |