Piotr feedback.

Signed-off-by: Harvey Tuch <htuch@google.com>

security/postmortems/cve-2019-9900.md

@@ -140,7 +140,9 @@ CVE-2019-9901 was reported by an external researcher (Erlend Oftedal) to the Ist
   the issue was first pushed. Ideally such issues should be routed to
   envoy-security@googlegroups.com first in the future and Envoy
   reviewers/maintainers should keep an eye out for inadvertent security
-  disclosures through public channels.
+  disclosures through public channels. In addition, an earlier issue
+  https://github.com/envoyproxy/envoy/issues/2956 was opened a year previous, but was not tagged as
+  being security sensitive.
 
 * Applicants for the private distributor list were turned down based on
   membership criteria that was adopted from k8s. This is now being revisited in
@@ -250,11 +252,10 @@ All times US/Pacific
 * [CVE-2019-9901] https://github.com/envoyproxy/envoy/pull/6258 was opened to address
   https://github.com/envoyproxy/envoy/issues/6008.
 
-
 2019-03-13:
-* [CVE-2019-9901] https://github.com/envoyproxy/envoy/pull/6258 was closed after offline discussions between Envoy
-  security team and the author, once the Envoy security team became aware of the potential
-  severity in the Istio setup (in particular with RBAC and Mixer in play).
+* [CVE-2019-9901] https://github.com/envoyproxy/envoy/pull/6258 was closed after offline discussions
+  between Envoy security team and the author, once the Envoy security team became aware of the
+  potential severity in the Istio setup (in particular with RBAC and Mixer in play).
 
 2019-03-14:
 * [CVE-2019-9900] Finding were presented to envoy-security@. A fix plan was
@@ -263,8 +264,8 @@ All times US/Pacific
 * [CVE-2019-9901] The Istio fix leads initiated private work on a fix patch.
   Since it was likely that this would land within the 1.9.1 release
   window for CVE-2019-9900, CVE-2019-9901 was also scheduled for the release.
-* [Announcement](https://groups.google.com/forum/#!topic/envoy-announce/dEOLqAiaSUI) sent to remind distributors to join
-  cncf-envoy-distributors-announce@lists.cncf.io.
+* [Announcement](https://groups.google.com/forum/#!topic/envoy-announce/dEOLqAiaSUI) sent to remind
+  distributors to join cncf-envoy-distributors-announce@lists.cncf.io.
 
 2019-03-20:
 * CVEs were requested from MITRE for both issues.
@@ -273,7 +274,8 @@ All times US/Pacific
   following week.
 
 2019-03-22:
-* 11:20 1.9.1 security release for the two vulnerabilities was [announced](https://groups.google.com/d/msg/envoy-announce/6fwGB2TxB74/dKeURAdfAgAJ).
+* 11:20 1.9.1 security release for the two vulnerabilities was
+  [announced](https://groups.google.com/d/msg/envoy-announce/6fwGB2TxB74/dKeURAdfAgAJ).
 * 11:24 CVE summary details shared with cncf-envoy-distributors-announce@lists.cncf.io.
 
 2019-03-28:
@@ -286,10 +288,10 @@ All times US/Pacific
   cncf-envoy-distributors-announce@lists.cncf.io.
 
 2019-03-29:
-* Envoy security team was contacted by a distributor regarding the permissibility of silently staging binary
-  images in public locations in advance of the security release due to a lack of viable
-  alternatives. The Envoy security team agreed that there was no better alternative and provided an
-  exemption.
+* Envoy security team was contacted by a distributor regarding the permissibility of silently
+  staging binary images in public locations in advance of the security release due to a lack of
+  viable alternatives. The Envoy security team agreed that there was no better alternative and
+  provided an exemption.
 
 2019-04-02:
 * 08:15 The increase of severity from medium to high was