Tweak many sections of the document

I love having a general guide, but I have a lot of specific comments.

For example:

GitHub Security Advisory doesn't allow external vulnerability reports,
and thus projects *must* have another mechanism (typically email).
I don't think that was clear enough.

Email systems should try to use at least hop-by-hop encryption
(e.g., STARTTLS). That's easy to get & provides real benefitst

While *Google* has a 90-day embargo policy, that is
definitely *not* a universally-agreed-on number. In fact, it's
unusually long (even *Google* used to have 60 days as their window),
so claiming that "everyone agrees on it" is easily falsified.
I think it's better to note that there's a range, and it's *more*
important to have continued discussions with the vulnerability reporter
if the reporter is open to it. After all, if your project's policy is
to make it public in 90 days, but the reporter makes it public in 7,
it really doesn't matter what the project's policy is.

Signed-off-by: David A. Wheeler <[email protected]>