(1) > * The proposed mechanism for reporting a vulnerability.
Be as accepting as possible. Standard email and a web form could both feed into an autoresponder/ticket system.
> It seems like a web-based reporting system may also provide a better level of security protection by encrypting the channel & contents of the communication vs. less secure email.
Yeah, TLS is good.
(2) > * What the email address should be for reports to be sent to.
No opinion.
