From 03ff9a601b0c0ee5048586fb82548ac02ec9af1d Mon Sep 17 00:00:00 2001
From: anonimal <anonimal@i2pmail.org>
Date: Thu, 15 Feb 2018 08:46:11 +0000
Subject: [PATCH 1/2] VRP: clarify definition of LOW severity vulnerability

---
 VULNERABILITY_RESPONSE_PROCESS.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/VULNERABILITY_RESPONSE_PROCESS.md b/VULNERABILITY_RESPONSE_PROCESS.md
index 8000b17..9eb89a1 100644
--- a/VULNERABILITY_RESPONSE_PROCESS.md
+++ b/VULNERABILITY_RESPONSE_PROCESS.md
@@ -75,7 +75,7 @@ PGP fingerprint = 1218 6272 CD48 E253 9E2D  D29B 66A7 6ECF 9144 09F1
 6. Establish severity of vulnerability:
     - a. HIGH: impacts network as a whole, has potential to break entire monero/kovri network, results in the loss of monero, or is on a scale of great catastrophe
     - b. MEDIUM: impacts individual nodes, routers, wallets, or must be carefully exploited
-    - c. LOW: is not easily exploitable
+    - c. LOW: is not easily exploitable or is low impact
     - d. If there are any disputes regarding bug severity, the Monero Response team will ultimately define bug severity
 
 7. Respond according to the severity of the vulnerability:

From 33e2e087a28df03c9d7d9f10c35571e55c064f35 Mon Sep 17 00:00:00 2001
From: anonimal <anonimal@i2pmail.org>
Date: Wed, 21 Feb 2018 01:24:48 +0000
Subject: [PATCH 2/2] VRP: researcher will receive name credit by default

---
 VULNERABILITY_RESPONSE_PROCESS.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/VULNERABILITY_RESPONSE_PROCESS.md b/VULNERABILITY_RESPONSE_PROCESS.md
index 9eb89a1..27cb4ad 100644
--- a/VULNERABILITY_RESPONSE_PROCESS.md
+++ b/VULNERABILITY_RESPONSE_PROCESS.md
@@ -106,7 +106,7 @@ PGP fingerprint = 1218 6272 CD48 E253 9E2D  D29B 66A7 6ECF 9144 09F1
 1. Response Team has 90 days to fulfill all points within section III
 
 2. If the Incident Response process in section III is successfully completed:
-    - a. Response Manager contacts researcher and asks if researcher wishes for credit
+    - a. Researcher decides whether or not to opt out of receiving name/handle/organization credit. By default, the researcher will receive name/handle/organization credit.
       - i. If bounty is applicable, release bounty to the researcher as defined in section "Bounty Distribution"
     - b. Finalize vulnerability announcement draft and include the following:
       - i. Project name and URL