White paper: Open Source Vulnerability Response

I've been working on a white paper on vulnerability response for open source projects. A few colleagues have been good enough to give me comments and I figure it's ready for public scrutiny. Any feedback welcome.