Apply suggestions from code review

sethmlarson · hugovk · web-flow · commit b59e69f2f8c7 · 2025-10-23T13:14:08.000Z
Co-authored-by: Hugo van Kemenade &lt;1324225+hugovk@users.noreply.github.com&gt;
diff --git a/peps/pep-0811.rst b/peps/pep-0811.rst
@@ -2,9 +2,12 @@ PEP: 811
 Title: Defining Python Security Response Team membership and responsibilities
 Author: Seth Michael Larson <seth@python.org>
 Sponsor: Gregory P. Smith <greg@krypto.org>
+Discussions-To: Pending
 Status: Draft
 Type: Process
+Topic: Governance
 Created: 22-Oct-2025
+Post-History: Pending
 
 Abstract
 ========
@@ -248,23 +251,30 @@ Therefore, vulnerability reporting has additional requirements for PSF staff
 detailed in CRA `Article 24 <https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_24>`_.
 These requirements can be summarized as:
 
-➤ Maintain a vulnerability disclosure policy fostering the voluntary reporting of vulnerabilities.
-The policy shall include aspects related to documenting, addressing, and remediating vulnerabilities
-and promote the sharing of information concerning discovered vulnerabilities within the open-source community.
-
-➤ Cooperate with EU market surveillance authorities (ENISA and CSIRTs) to
-mitigate cybersecurity risks.
-
-➤ If a vulnerability is **known to be actively exploited** EU market surveillance
-authorities must be notified through the Single Reporting Platform (SRP)
-within the following timelines:
-
-* **Within 24 hours of becoming aware of an actively exploited vulnerability:** submit an early warning notification.
-* **Within 72 hours of becoming aware of an actively exploited vulnerability:** submit general information,
-  the product, general nature of the exploit and vulnerability, and mitigating measures taking or mitigating measures that users can take.
-* **Within 14 days after a corrective or mitigating measure is available:** a final report including a description
-  of the vulnerability including severity and impact, information concerning any malicious actor, and details
-  about the security update or other corrective measures available to remedy the vulnerability.
+* Maintain a vulnerability disclosure policy fostering the voluntary reporting
+  of vulnerabilities. The policy shall include aspects related to documenting,
+  addressing, and remediating vulnerabilities and promote the sharing of
+  information concerning discovered vulnerabilities within the open-source
+  community.
+
+* Cooperate with EU market surveillance authorities (ENISA and CSIRTs) to
+  mitigate cybersecurity risks.
+
+* If a vulnerability is **known to be actively exploited** EU market
+  surveillance authorities must be notified through the Single Reporting
+  Platform (SRP) within the following timelines:
+
+  * **Within 24 hours of becoming aware of an actively exploited
+    vulnerability:** submit an early warning notification.
+  * **Within 72 hours of becoming aware of an actively exploited
+    vulnerability:** submit general information,
+    the product, general nature of the exploit and vulnerability, and
+    mitigating measures taking or mitigating measures that users can take.
+  * **Within 14 days after a corrective or mitigating measure is available:** a
+    final report including a description of the vulnerability including
+    severity and impact, information concerning any malicious actor, and details
+    about the security update or other corrective measures available to remedy
+    the vulnerability.
 
 Note that these additional responsibilities don't apply to all members of the
 PSRT, only to PSF staff.
