From 824cabf59fb30c68067747373044ab39ef569e49 Mon Sep 17 00:00:00 2001
From: Andrew David Wong <adw@qubes-os.org>
Date: Tue, 21 Mar 2017 18:02:03 -0700
Subject: [PATCH] Add notes regarding embargoed XSAs and unused XSA numbers

QubesOS/qubes-issues#2703
---
 security-info/xsa.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/security-info/xsa.md b/security-info/xsa.md
index 7ac5bb17..b9313d59 100644
--- a/security-info/xsa.md
+++ b/security-info/xsa.md
@@ -24,6 +24,8 @@ Important Notes
 * For simplicity, we use the present tense ("is affected") throughout this page, but this does **not** necessarily mean that up-to-date Qubes installations are *currently* affected by any particular XSA.
   In fact, it is extremely unlikely that any up-to-date Qubes installations are vulnerable to any XSAs on this page, since patches are almost always published concurrently with QSBs.
   Please read the QSB (if any) for each XSA for patching details.
+* Embargoed XSAs are excluded from this tracker until they are publicly released, since the [Xen Security Policy] does not permit us to state whether Qubes is affected prior to the embargo date.
+* Unused XSA numbers are included in the tracker for the sake of completeness, but they are excluded from the [Statistics] section for the sake of accuracy.
 * All dates are in UTC.
 
 
@@ -101,4 +103,6 @@ Tracker
 [XSA]: https://xenbits.xen.org/xsa/
 [QSB]: /security/bulletins/
 [DoS]: https://en.wikipedia.org/wiki/Denial-of-service_attack
+[Xen Security Policy]: https://www.xenproject.org/security-policy.html
+[Statistics]: #statistics