Open questions regarding security fixes

[FRidh]

https://github.com/NixOS/nixpkgs/pull/72290 added a section on submitting security fixes. There are however still open questions or things that should be done:

• [x] How about version numbers prefixed to CVE? https://github.com/NixOS/nixpkgs/pull/72076
• [ ] How about patches that partially resolve a CVE? https://discourse.nixos.org/t/nixpkgs-update-partners-with-serokell-and-nlnet-to-add-cve-reporting/3577/18
• [ ] Mention security reports and their way of working as well as vulnix
• [ ] Mention https://nixos.org/nixos/security.html
• [x] how to name a single patch fixing multiple CVEs ? [A] or [B] or [C]

[JohnAZoidberg]

@ckauhaus Vulnix doesn't care about how multiple CVE's are mentioned in the filename, right? As long as it contains them?

[ckauhaus]

Variants A and C are working, B not. We match "CVE-\d+-\d+" for each CVE.

[ckauhaus]

Re the first question: It doesn't matter if there is more than just the CVE number in the patch name.