Promote education around security severity notices through the [Security-news] emails

Hi all,

Summary: Additional links about security review process and severity determination would be beneficial to the average subscriber of security alerts.

Long story:
Yesterday there was a security notice around updating the backup & migrate module that sparked some needed conversations. This link is essentially the email that was sent out https://www.drupal.org/sa-contrib-2018-004

Reviewing the issue and commits it was apparent that the updates were primarily around notices of possible improper configuration of the module, not a newly discovered exploit (unless I missed something... always possible). As an outsider who didn't understand how severity was determined, I check various site permissions and configuration, then filed this away in my mind as an alarmist severity.

Later there was a twitter thread about this idea where I was informed as to how the severity of notices are determined. This information was completely new to me (12+ yr Drupal dev) and very informative. Not sure how I missed the changes in 2014 to the method for determining severity, but I did.

I was also approached on slack about this twitter thread and essentially asked, "what could we do better?". Thinking about it a bit more I believe I was able to identify the fundamental problem and a decent solution.

The problem is one of education. Specifically in this case, I was the one uneducated as to the standards for determining severity and this lack of education has affected my understanding of the security notices for years now.

I'd like to propose a means of addressing that problem of education, adding links to the email notices that include information about how the various aspects of the notices are determined. I imagine a new section at the bottom of each security notice email might look like this:

1. How risk levels are defined: https://www.drupal.org/drupal-security-team/security-risk-levels-defined
2. How a security issue becomes an advisory: https://www.drupal.org/drupal-security-team/security-team-procedures/how...
3. Severity calculation: https://security.drupal.org/riskcalc?risk[AC]=Basic&risk[A]=None&risk[CI]=All&risk[II]=Some&risk[E]=Exploit&risk[TD]=Uncommon

Number 1: this essentially already exists as the severity codes are linked to the same page, but I think there is added benefit to spelling out "How risk levels are defined".

Number 2: is a nice-to-have that helps understanding the process that got the notice to this point.

Number 3: this link doesn't work because the form does not pre-fill from GET requests, so this would take the most work to implement. I'm thinking that having an easy way to read the expanded description of the severity would be great for developers like me. The alternative to providing this within the email is that someone has to take a lot of awkward steps to get the same information. Visit "risk levels" d.o link, find and visit the "risk calculator" link, look back and forth between the severity codes in the email to the risk calculator (guessing at which sentences the codes apply to), and then I will have the information I want.

Any thoughts/feedback would be very appreciated. If anyone knows of additional or better links that help guide the subscriber to a better understanding, I'm all ears.

If there is a better place for me to post this request, please let me know.