I'm in the process of updating the security pages on FreeBSD.org, at the request of des@. Here are some ideas of things that need to change.
- There's no description of what an end-user should do when he/she hears about a security vulnerability. This should come first.
- Maybe a separate page about reporting security vulnerabilities and FreeBSD's practices and who is told etc?
- Charter.xml's published review date of 2002 immediately strikes me as "FreeBSD isn't progressive if it doesn't actively review its policies and indeed this page looks like it's been forgotten about as 2002 was years ago."
- FreeBSD-update should take preference over buildworld etc. in the security advisory announcements.