[finder-guide] clarify disclosure guidance of unresponsive/unmaintained projects

[andrewpollock]

Surfacing a recent discussion from the Vulnerability Disclosures WG Slack and the APAC Vulnerability Disclosures WG monthly meeting...

Questions to be answered:

• What should the disclosure policy be for projects with a maintainer gap? Public disclosure so that a broader set of potential developers can take action on the information?
• It's not great to have bugs in bug trackers marked private if no one is going to take action on them during an embargo period, is it?

In the era of various commercially maintained forks of key open source software, as well as downstream Linux distributions wanting to manage risk, getting a signal out that derivative patching is necessary is going to be important.