[Secure-testing-team] Some notes on data commits

[Moritz Muehlenhoff]

We use a quite open system for maintaining our data, but some notes
to ensure a continuing high level of data quality:

- Do not add <not-affected> entries unless it's very obvious (like
  Windows-specific issues) or clearly stated inside a bug log or
  home page.

- Severity ratings have been repeatedly picked up by news sites
  taking it as an official position of the Debian project and
  indirectly the Security Team. This means that severity ratings
  should only be added with great care. Not every issue needs
  a severity rating, if in doubt leave out or mark it unknown.

- Do not trust vulnerability web sites or the CVE description!

- If you add NOT-FOR-US: you should have done significant checking
  if that package is not in the archive. If the package can even
  be found with "apt-cache search" you haven't tried hard enough.

Cheers,
        Moritz