updated references to CVE's in release notes.

CHANGES.md

@@ -4,6 +4,12 @@
 
 * Fix CVE-2018-18443, a memory leak in ThreadPool
 
+### Bugs
+
+This version fixes the following security vulnerabilities:
+
+* [CVE-2018-18443](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18443)
+
 ## Version 2.3.0 (August 13, 2018)
 
 ### Features/Improvements:
@@ -681,13 +687,13 @@
 This maintenance release addresses the reported OpenEXR security
 vulnerabilities, specifically:
 
-* CVE-2017-9110
-* CVE-2017-9111
-* CVE-2017-9112
-* CVE-2017-9113
-* CVE-2017-9114
-* CVE-2017-9115
-* CVE-2017-9116.
+* [CVE-2017-9110](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9110)
+* [CVE-2017-9111](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9111)
+* [CVE-2017-9112](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9112)
+* [CVE-2017-9113](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9113)
+* [CVE-2017-9114](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9114)
+* [CVE-2017-9115](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9115)
+* [CVE-2017-9116](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9116)
 
 ## Version 2.2.0 (August 10, 2014)
 
@@ -916,6 +922,14 @@ for targeting 64 bit Windows, fixes for buffer overruns and a number
 of other minor fixes, additions and optimisations. Please see the
 Changelog files for more detailed information.
 
+### Bugs
+
+This release addresses the following security vulnerabilities:
+
+* [CVE-2009-1720](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1720)
+* [CVE-2009-1721](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1721)
+* [CVE-2009-1722](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1722)
+
 ### Detailed Changes:
 
 * Added support for targetting builds on 64bit Windows and minimising

CONTRIBUTING.md

@@ -260,6 +260,27 @@ modifications to the TSC by assigning the `tsc-review` label to a pull
 request or issue. The TSC should serve as the final arbiter where
 required.
 
+### Test Policy
+
+All functionality in the library must be covered by an automated
+test. Each library has a companion ``Test`` project - ``ImathTest``,
+``HalfTest``, ``IlmImfTest`, etc.  This test suite is collectively
+expected to validate the behavior of very part of the library.
+
+* Any new functionality should be accompanied by a test that validates
+  its behavior.
+
+* Any change to existing functionality should have tests added if they
+  don't already exist.
+
+The test should should be run, via ``make check``, before submitting a
+pull request.
+
+In addition, the ``IlmImfFuzzTest`` project validates the library by
+feeding it corrupted input data. This test is time-consuming (possible
+over 24 hours), so it will only be run occasionally, but it must
+succeed before a release is made.
+
 ### Project Issue Handling Process
 
 Incoming new issues are labeled promptly by the TSC using GitHub labels.