Comment 1 for bug 1628917

For what it's worth, I believe we should start following the processes laid out by the OpenStack VMT even though we're a tiny project just to get practice in using them: http://docs.openstack.org/project-team-guide/vulnerability-management.html