Make a formal time period and process for patch review

[addisoncrump]

To ensure that the fix which is applied is complete, the reporter should be given a fixed means by which to access and review patches before it is merged and the advisory is published. In this way, we can ensure:

• correct documentation regarding an incident
• correct patch notes
• the fix is complete and does not contain any missed scenarios

When reporting the rust-lang/regex untrusted regex DoS, there was ample time to review the fix -- and we found that it was indeed incomplete, and were able to remediate it before the advisory and patch were published. Also, the advisory, patch notes, and documentation regarding the incident are perfectly correct. Given that experience, I would say that, from my perspective, the use of GitHub security advisory system with hidden forks for patches is a good review platform. Additionally, a week of fix review time is a good minimum to ensure that all sides have fully considered the ramifications of the fix.