Statistics are grouped by month of the issue being reported to the private list.
| Month | All reports | Embargoed | Average | Median | Min | Max embargo days |
|---|---|---|---|---|---|---|
| 2026-01 | 3 | 3 | 7.42 | 6.81 | 1.28 | 14.15 |
| Total | 3 | 3 | 7.42 | 6.81 | 1.28 | 14.15 |
Non-embargoed reports (issue already posted to oss-security before being brought to (linux-)distros, which in 2026 didn't occur yet) are (would be) excluded from the calculation of average, median, and minimum embargo duration above.
For the statistics above, we only use the first embargo duration seen in this table, which is the delay between postings to (linux-)distros and oss-security.
For some reports, there's a second embargo duration - that one is the delay (sometimes negative) between a first public posting elsewhere and the posting to (linux-)distros. Such first public posting often does not fully (or at all) reveal security relevance of the issue/fix, making it not-too-unreasonable to allow a little bit (more) of embargo time on the full detail, especially when that's the issue reporter's and/or the upstream project's preference.
| Project | Subjects/titles/links | Time at distros (UTC) … oss-security (UTC) Elsewhere (UTC) | Embargo days | Planned CRD(s) (exact wording) | CVE(s) |
|---|---|---|---|---|---|
| OpenStack keystonemiddleware | [vs] Vulnerability in OpenStack keystonemiddleware (CVE pending) [oss-security] [CVE-2026-22797] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797) | Thu Jan 08 20:01:47 2026 Thu Jan 15 15:32:58 2026 | 6.81 | Thursday, 2026-01-15, 1500UTC | |
| OpenSSL | [vs-plain] Embargoed OpenSSL security issue [oss-security] OpenSSL Security Advisory (corrected - added CVE-2026-22795 and CVE-2026-22796) | Tue Jan 13 13:44:01 2026 Tue Jan 27 17:19:21 2026 | 14.15 | 27th January 2026 | |
| BIND 9 | [vs] … [oss-security] ISC has disclosed one vulnerability in BIND 9 (CVE-2025-13878) | Tue Jan 20 09:27:28 2026 Wed Jan 21 16:14:45 2026 | 1.28 | 21 January 2026 | CVE-2025-13878 |
These files were manually created based on review of the e-mail threads and external resources referenced from there. They were processed with this Perl script to produce the tables above. You should be able to reproduce that.