This is perhaps a bit on the verbose side, but I was trying to provide sufficient content in regards to 3rd party dependencies, since that is where the majority of the vulnerabilities are likely to occur.
Notably absent is what our follow-up timeframe is, since I didn't want to obligate us to follow a specific response protocol or timeframe. Rather, we can refine that protocol on a case by case basis depending on the nature of vulnerabilities as they are reported.
Resolves #311
Loosely inspired by Fiona #1308.
This is perhaps a bit on the verbose side, but I was trying to provide sufficient content in regards to 3rd party dependencies, since that is where the majority of the vulnerabilities are likely to occur.
Notably absent is what our follow-up timeframe is, since I didn't want to obligate us to follow a specific response protocol or timeframe. Rather, we can refine that protocol on a case by case basis depending on the nature of vulnerabilities as they are reported.