Merge pull request #313 from anonimal/VRP-public-platform

VRP: redefine public communications platform

VULNERABILITY_RESPONSE_PROCESS.md

@@ -92,7 +92,7 @@ PGP fingerprint = 1218 6272 CD48 E253 9E2D  D29B 66A7 6ECF 9144 09F1
     - c. Since a systematic DoS hunt has not been completed on any code, DoS's which do not crash a node remotely will receive a lower bounty reward
 
 7. Respond according to the severity of the vulnerability:
-    - a. HIGH severities must be notified on website and reddit /r/Monero (/r/Kovri for kovri) within 3 working days of classification
+    - a. HIGH severities will be notified via at least one public communications platform (mailing list, reddit, website, or other) within 3 working days of patch release
       - i. The notification should list appropriate steps for users to take, if any
       - ii. The notification must not include any details that could suggest an exploitation path
       - iii. The latter takes precedence over the former
@@ -132,7 +132,7 @@ PGP fingerprint = 1218 6272 CD48 E253 9E2D  D29B 66A7 6ECF 9144 09F1
       - viii. Mitigating factors (for example, the vulnerability is only exposed in uncommon, non-default configurations)
       - ix. Workarounds (configuration changes users can make to reduce their exposure to the vulnerability)
       - x. If applicable, credits to the original reporter
-    - c. Release finalized vulnerability announcement on website and reddit /r/Monero (/r/Kovri for kovri)
+    - c. Release finalized vulnerability announcement on public communications platform (mailing list, reddit, website, or other)
     - d. For HIGH severities, release finalized vulnerability announcement on well-known mailing lists:
       - i. oss-security@lists.openwall.com
       - ii. bugtraq@securityfocus.com