Clean up minor inconsistency re public disclosure

Include a summary of both kinds of e-mail which may be sent to the
pre-disclosure list in the "Pre-disclosure list" section, before the
discussion of what is expected of pre-disclosure list members.  Also
make it consistently clear that the public disclosure will always be
sent to the pre-disclosure list.

Signed-off-by: George Dunlap <george.dunlap@eu.citrix.com>

Declare version 1.3

Patch review, expert advice and targetted fixes

See <20448.49637.38489.246434@mariner.uk.xensource.com>, section
    "Patch development and review"

Discuss post-embargo disclosure of potentially controversial private decisions

See <20448.49637.38489.246434@mariner.uk.xensource.com>, section
    "11. Transparency"

Clarify the scope of the process to just the hypervisor project

Other projects are handled on a best effort basis by the project lead
with the assistance of the security team.

See <20448.49637.38489.246434@mariner.uk.xensource.com>, section
    "9. Vulnerability process scope"

Clarifications to predisclosure list subscription instructions

Specially:
  * Mention that subscriptions via the webterface do not work / are
    not honoured.
  * Mention the preference for role addresses only.

See <20448.49637.38489.246434@mariner.uk.xensource.com>, section
    "8. Predisclosure subscription process, and email address
        criteria"

Clarify what info predisclosure list members may share during an
embargo

See <20448.49637.38489.246434@mariner.uk.xensource.com>, section
  "7. Public communications during the embargo period"

Baseline version.

Downloaded from
http://www.xen.org/projects/security_vulnerability_process.html
at Thu Aug 16 15:04:25 BST 2012