-----
Only the main repositories (dpdk and dpdk-stable) of the core project
-are in the scope of this security process.
+are in the scope of this security process (including experimental APIs).
If a stable branch is declared unmaintained (end of life),
no fix will be applied.
Do not use Bugzilla (unsecured).
Instead, send GPG-encrypted emails
-to `security@dpdk.org <http://core.dpdk.org/security#contact>`_.
+to `security@dpdk.org <https://core.dpdk.org/security#contact>`_.
Anyone can post to this list.
In order to reduce the disclosure of a vulnerability in the early stages,
membership of this list is intentionally limited to a `small number of people
-<http://mails.dpdk.org/roster/security>`_.
+<https://mails.dpdk.org/roster/security>`_.
It is additionally encouraged to GPG-sign one-on-one conversations
as part of the security process.
to downstream stakeholders
(`security-prerelease@dpdk.org <mailto:security-prerelease@dpdk.org>`_),
specifying the date and time of the end of the embargo.
-The public disclosure should happen in **less than one week**.
+The communicated public disclosure date should be **less than one week**
Downstream stakeholders are expected not to deploy or disclose patches
until the embargo is passed, otherwise they will be removed from the list.
Downstream stakeholders (in `security-prerelease list
-<http://mails.dpdk.org/roster/security-prerelease>`_), are:
+<https://mails.dpdk.org/roster/security-prerelease>`_), are:
* Operating system vendors known to package DPDK
* Major DPDK users, considered trustworthy by the technical board, who