ONAP as an upstream project is used (or rather will be) in a number of products and in critical point of civil infrastructure that are negatively affected by vulnerabilities. In the spirit of responsible disclosure, this ecosystem, collectively known as the downstream stakeholders, needs to be warned in advance to be able to prepare patches and roll them out in a coordinated fashion on disclosure day. The embargo period is kept voluntarily small (3-5 business days), as a middle ground between keeping the vulnerability under cover for too long and not giving a chance to downstream stakeholders to react. The list of downstream stakeholders is kept secret only to Vulnerability Service Subcommittee.
If you’re currently not a referenced stakeholder and think you should definitely be included on that list, please submit an email with a rationale to chair of Vulnerability Service Subcommittee.