vendor neutral language, NIST database for known issues

Signed-off-by: Lokesh Mandvekar <[email protected]>

Author: lsm5

docs/cncf/self-assessment.md

@@ -202,8 +202,7 @@ This document provides the CNCF TAG-Security with an initial understanding of Po
 
 * **Outbound**:
 
-  - Release announcements via GitHub releases and the Podman mailing list
-  - Security advisories through [https://access.redhat.com](https://access.redhat.com) and Bugzilla trackers for Fedora and RHEL on [bugzilla.redhat.com](http://bugzilla.redhat.com)
+  - Release announcements via the [official Podman website](https://podman.io), GitHub releases, and the Podman mailing list
   - Documentation updates and blog posts
   - Conference presentations and talks
   - Project website at [podman.io](https://podman.io) with comprehensive documentation
@@ -226,21 +225,21 @@ Podman is a critical component of the cloud-native ecosystem:
 
 * **Response Time**: The team commits to responding to vulnerability reports within 48 hours. All medium and higher severity exploitable vulnerabilities are prioritized as a matter of general practice.
 
-* **Coordination**: For critical vulnerabilities, Red Hat’s Product Security team coordinates with downstream projects to file bug trackers for downstreams (Fedora / RHEL).
+* **Coordination**: For critical vulnerabilities, ct Security team coordinates with downstream projects to file bug trackers for downstreams (Fedora / RHEL).
 
 * **Credit**: Security researchers who responsibly disclose vulnerabilities are credited in security advisories and release notes.
 
-* **Public Disclosure**: Vulnerabilities are disclosed by Red Hat’s Product Security team with appropriate embargo periods for critical issues, following industry best practices for responsible disclosure.
+* **Public Disclosure**: Vulnerabilities are disclosed by the project maintainers with appropriate embargo periods for critical issues, following industry best practices for responsible disclosure.
 
 ### Vulnerability Response Process
 
-* **Triage**: Security reports are triaged by the Red Hat’s Product security team and assigned severity levels (Critical, High, Medium, Low) using CVSS scoring where applicable.
+* **Triage**: Security reports are triaged by the project maintainers and assigned severity levels (Critical, High, Medium, Low) using CVSS scoring where applicable.
 
 * **Investigation**: The team investigates the vulnerability, determines impact, and develops fixes. All medium and higher severity exploitable vulnerabilities discovered through static or dynamic analysis are fixed in a timely way after they are confirmed.
 
 * **Fix Development**: Security fixes for embargoed CVEs are developed in private repositories to prevent premature disclosure.
 
-* **Disclosure**: Vulnerabilities are disclosed by the Red Hat Product Security team with appropriate embargo periods for critical issues. The project follows industry best practices for coordinated vulnerability disclosure.
+* **Disclosure**: Vulnerabilities are disclosed by the project maintainers with appropriate embargo periods for critical issues. The project follows industry best practices for coordinated vulnerability disclosure.
 
 ### Incident Response
 
@@ -250,6 +249,11 @@ Podman is a critical component of the cloud-native ecosystem:
 
 ## Appendix
 
+### Known Issues Over Time
+
+* See [this NIST Vulnerability Database list](https://nvd.nist.gov/vuln/search#/nvd/home?vulnRevisionStatusList=published&offset=0&rowCount=50&keyword=podman&resultType=records) for CVEs to date. This includes issues in the Go toolchain and dependencies used by Podman.
+(Four of the entries as of the date of this writing aren't directly related to Podman but contain Podman in the search terms.)
+
 ### OpenSSF Best Practices
 
 * **Current Status**: Podman has achieved a [passing OpenSSF Best Practices badge](https://www.bestpractices.dev/projects/10499) (100% compliance), demonstrating adherence to security best practices.
@@ -266,8 +270,6 @@ Podman is a critical component of the cloud-native ecosystem:
 
 * List of companies and organizations using / shipping Podman [https://github.com/containers/podman/blob/main/ADOPTERS.md](https://github.com/containers/podman/blob/main/ADOPTERS.md)
 
-* Details TBD
-
 ### Related Projects / Vendors
 
 * **Buildah**: A tool that facitiliates building OCI container images.