Update security.adoc with some guidelines on dealing with vulnerability
This sentence is quite long. I would recommend to spit it in a number of sentences to keep a clear flow.
First part: this is up to the project to decide if they fix or not, but the researcher might disagree with them. Not fixing might have high impact on the reputation of the project, as at the end all vulnerabilities to Eclipse projects are disclosed. This is not possible for a project to keep an unfixed vulnerability not known to the public. The researcher might disclose the vulnerability on their side, they can also apply for a CVE on their own.
There are also expressions I do not understand: what does it mean "mandated by the Foundation" here?
Second part: you probably mean "vulnerability detected IN the third party dependencies"
Those are separate ideas so would be good to put them in separate paragraphs. For example (with editing), see below. I've updated the vocabulary to be in sync with the rest of the document. If you mean a release review process as 'review process', the new process is different and projects go by the review once per year only. There is no impact on bugfix releases. @wbeaton could you confirm.
And here's my proposal of the rewrite.
It should be noted that vulnerabilities have different severities and not all of them need the same reaction. Some (low severity) vulnerabilities might not need a fix at all if documented or if a viable workaround exists.
In case of a critical vulnerability, the project might decide to perform an emergency bugfix release.
It is a common practice to resolve vulnerabilities by upgrading the dependencies for your next project release.
There are way more: vulnerabilities in the hardware the software or build is running on, vulnerabilities in 3rd party services (which are not dependencies) and so on. I also do not understand what this introduction is leading to. This classification does not seem to be used below.