(1) > * The proposed mechanism for reporting a vulnerability. Be as accepting as possible. Standard email and a web form could both feed into an autoresponder/ticket system. > It seems like a web-based reporting system may also provide a better level of security protection by encrypting the channel & contents of the communication vs. less secure email. Yeah, TLS is good. (2) > * What the email address should be for reports to be sent to. No opinion.