[Improvement] CERT #3 - Under the Competence category, add requirements

[shanecoughlan]

This originates in https://github.com/OpenChain-Project/Security-Assurance-Specification/issues/6

Implement ISO/IEC 29147:2018 and ISO/IEC 30111:2019

Under the Competence category, add these requirements:

Implement a capability for the public to report vulnerabilities; allowing for analysis; and providing mitigation or remediation. Implement a capability for the secure distribution of software updates. Provide a timeline for when security patches and security support will end.

[shanecoughlan]

@stephenkilbaneadi: CERT-03 Is the first addition a single item to add, or three? Supporting these extra elements might make this spec harder to adopt.

@jthDEV: CERT-03: The requirement is covered in 3.2.1. We might add a reference as an example to ISO/IEC 29147:2018 but should not require it. First the other ISO it is not open, which would somehow limit the openness of this standard and second it would require another test. Same with the handling standard ISO/IEC 30111:2019

[shanecoughlan]

The discussion on our North America / Europe monthly call 2023-02-07 concluded that these three items would potentially expand our scope too far in terms of making the spec difficult to adopt. It was decided not to include them in the second generation of the security specification, though naturally if anyone strongly objects they can reopen this issue.

Flagging for @heliocastro