Thierry and Mikal may correct me on this, but my interpretation is that if it's a security vulnerability in OpenStack for which we've got a fix (maybe even if that just means beefing up available options for deployers or making more verbose disclaimers in logs and interfaces), then the VMT issues an OSSA. On the other hand if there's nothing to be fixed and this is merely a matter of setting long-term expectations on the security failings of a particular feature for the benefit of improved understanding within the OpenStack community, then the OSSG issues an OSSN (with or without a CVE as appropriate).
Thierry and Mikal may correct me on this, but my interpretation is that if it's a security vulnerability in OpenStack for which we've got a fix (maybe even if that just means beefing up available options for deployers or making more verbose disclaimers in logs and interfaces), then the VMT issues an OSSA. On the other hand if there's nothing to be fixed and this is merely a matter of setting long-term expectations on the security failings of a particular feature for the benefit of improved understanding within the OpenStack community, then the OSSG issues an OSSN (with or without a CVE as appropriate).