diff --git a/content/about/security-vulnerabilities/index.md b/content/about/security-vulnerabilities/index.md
index cafdfe5e..cfd3b5ad 100644
--- a/content/about/security-vulnerabilities/index.md
+++ b/content/about/security-vulnerabilities/index.md
@@ -1,6 +1,6 @@
---
-title: Security Vulnerabilities
-description: How we handle security vulnerabilities.
+title: Reporting Security Vulnerabilities
+description: Responsible disclosure for Istio security vulnerabilities.
weight: 35
icon: vulnerabilities
---
@@ -8,15 +8,13 @@ icon: vulnerabilities
We are very grateful to the security researchers and users that report
back Istio security vulnerabilities. We investigate every report thoroughly.
-## Reporting a vulnerability
-
To make a report, send an email to the private
[`istio-security-vulnerabilities@googlegroups.com`](mailto:istio-security-vulnerabilities@googlegroups.com)
mailing list with the vulnerability details. For normal product bugs
unrelated to latent security vulnerabilities, please head to
our [Reporting Bugs](/about/bugs/) page to learn what to do.
-### When to report a security vulnerability?
+## When to report a security vulnerability?
Send us a report whenever you:
@@ -25,7 +23,7 @@ Send us a report whenever you:
- Think a vulnerability is present in another project that Istio
depends on. For example, Envoy, Docker, or Kubernetes.
-### When not to report a security vulnerability?
+## When not to report a security vulnerability?
Don't send a vulnerability report if:
@@ -33,9 +31,9 @@ Don't send a vulnerability report if:
- You need help applying security related updates.
- Your issue is not security related.
-## Evaluation
+## Security vulnerability response
-The Istio security team acknowledges and analyzes each vulnerability report within three
+The Istio security team acknowledges and analyzes each report within three
work days.
Any vulnerability information you share with the Istio security team stays
@@ -45,38 +43,15 @@ projects. We only share the information as needed to fix the issue.
We keep the reporter updated as the status of the security issue moves
from `triaged`, to `identified fix`, to `release planning`.
-## Fixing the issue
-
-Once a security vulnerability has been fully characterized, a fix is developed by the Istio team.
-The development and testing for the fix happens in a private GitHub repository in order to prevent
-premature disclosure of the vulnerability.
-
-## Early disclosure
-
-Before vulnerabilities are disclosed to the public, there is an early private disclosure to a small set of Istio partners.
-This is to enable partners that distribute Istio binaries to prepare to distribute the fix.
-
-Early disclosure happens three working days prior to full public disclosure.
-
-Please fill out the [Early Security Vulnerability Disclosure](https://github.com/istio/community/issues/new?template=early-disclosure-request.md) form to request being
-added to the early disclosure mailing list.
-
-## Public disclosure
-
-On the day chosen for public disclosure, a sequence of activities takes place as quickly as possible:
-
-- Changes are merged from the private GitHub repository holding the fix into the appropriate set of public
-branches.
-
-- Release engineers ensure all necessary binaries are promptly built and published.
-
-- Once the binaries are available, an announcement is sent out on the following channels:
-
- - The [Istio blog](/blog)
- - The [Announcements](https://discuss.istio.io/c/announcements) category on discuss.istio.io
- - The [Istio Twitter feed](https://twitter.cqom/IstioMesh)
- - The [#announcement channel on Slack](https://istio.slack.com/messages/CFXS256EQ/)
-
-As much as possible this announcement should be actionable, and include any mitigating steps users can take prior to
-upgrading to a fixed version. The recommended target time for these announcements is 16:00 UTC from Monday to Thursday.
-This means the announcement will be seen morning Pacific, early evening Europe, and late evening Asia.
+## Public disclosure timing
+
+The Istio security team and the bug submitter negotiate a public
+disclosure date between them. We prefer to fully disclose the bug as
+soon as possible once a user mitigation is available.
+We consider reasonable to delay disclosure when the bug or the fix is
+not yet fully understood, the solution is not well-tested, or for
+vendor coordination. The time frame for disclosure is from immediate,
+especially if the bug is known publicly already, to a few weeks.
+As a basic default, we expect the report date and the disclosure date
+to be on the order of seven days apart. The Istio security team holds
+the final say on setting a disclosure date.
Source File: /about/security-vulnerabilities/index.md Diff: