See http://xenbits.xen.org/gitweb/?p=people/larsk/governance.git;a=summary
for the repository.

Signed-off-by: Lars Kurth <lars.kurth@citrix.com>
CC: committers@xenproject.org
---
 security-policy.pandoc | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/security-policy.pandoc b/security-policy.pandoc
index 8e07384..74d0d8b 100644
--- a/security-policy.pandoc
+++ b/security-policy.pandoc
@@ -214,8 +214,9 @@ List members are allowed to make available to their users only the following:
 -   The planned disclosure date
 
 List members may, if (and only if) the Security Team grants permission, deploy
-fixed versions during the embargo. Permission for deployment, and any
-restrictions, will be stated in the embargoed advisory text.
+fixed versions to their own public facing service during the embargo. Permission
+for deployment, and any restrictions, will be stated in the embargoed advisory
+text.
 
 The Security Team will normally permit such deployment, even for systems where
 VMs are managed or used by non-members of the predisclosure list. The Security
@@ -232,6 +233,9 @@ information about the issue (as listed above). This applies whether the
 deployment occurs during the embargo (with permission - see above) or is
 planned for after the end of the embargo.
 
+NB: Distribution of updated software is prohibited (except to other members of
+the predisclosure list).
+
 *NOTE:* Prior v2.2 of this policy (25 June 2014) it was permitted to also make
 available the allocated CVE number. This is no longer permitted in accordance
 with MITRE policy.[]()
@@ -408,6 +412,7 @@ Change History {#changelog}
 --------------
 
 <div class="box-note">
+-   **v3.22 March 1st 2019:** Minor policy text clarifications
 -   **v3.21 Nov 19th 2018:** Added XCP-ng.org
 -   **v3.20 June 14th 2018:** Added Star Lab
 -   **v3.19 May 9th 2018:** Remove Google and Xen 3.4 stable tree maintainer
-- 
2.13.0