docs: clarifying security posture

docs/root/intro/arch_overview/security/threat_model.rst

@@ -70,6 +70,16 @@ a regular expression on a header match in ``RouteConfiguration``. In this case,
 is resilient against the risks posed by malicious configuration from a confidentiality, integrity
 and availability perspective, as described above.
 
+For issues requiring control plane and data plane coordination, such as a configuration option which
+results in a Query of Death, risk is assessed by Envoy Security Team. If the configuration option is
+long-standing, turning it off presents a risk (e.g turning off overload manager) and leaving it on
+results in risk, the Security Team would usually opt to fix the issue under embargo. If a feature is new
+and a config change always results in a data plane crash, it might be classified as something the
+trusted control plane should disallow, and be fixed in the clear. For more nuanced issues, such as long
+standing configuration where only one variant is problematic, the Security Team will try to assess if
+there is an attack which presents a risk to any users, including large scale multi-tenant operators
+to determine if it should be fixed in the clear or not.
+
 We generally assume that services utilized for side calls during the request processing, e.g.
 external authorization, credential suppliers, rate limit services, are trusted. When this is not the
 case, an extension will explicitly state this in its documentation.