...
The Security Team defines which organizations are admitted to the pre-disclosure list. Generally, well-established organizations with a mature security response process will be considered on a case-by-case basis. Organizations that meet the criteria should contact XXX (we need a cloudstack-security mailing list) security@cloudstack.apache.org if they wish to participate in the pre-disclosure activities. The list of entities on the pre-disclosure list is public. No organization may privately receive pre-disclosure information.
...