Clarification of support levels for items in Tiers

[lirantal]

Can we add a description of values and their definitions for security criteria items so that it is better understood what each mean. For example, I found the following for npm.md unclear:

• Strong authentication: Partial - what does it mean?
• Update notifications - Partials - means what exactly? Is it just the single maintainer who published but not all others who are listed as maintainers or the team that manages it?
• Package Manager Does Not Run Code - Optional - If it is optional, how does this score? is it a +1 for flagging as passing the criteria or not?

[stevespringett]

Related to: SCVS 4.3 - Package repository requires strong authentication SCVS 4.4 - Package repository enables multi-factor authentication component publishing SCVS 4.5 - Package repository components have been published with multi-factor authentication SCVS 4.8 - Package repository notifies publishers of security issues SCVS 4.9 - Package repository notifies users of security issues SCVS 4.18 - Package manager does not execute code

Note: SCVS is currently in pre-draft and is subject to change