pkg audit / vuln.xml failures

[Roger Marquis]

Does anyone know what's going on with vuln.xml updates?  Over the last
few weeks and months CVEs and application mailing lists have announced
vulnerabilities for several ports that in some cases only showed up in
vuln.xml after several days and in other cases are still not listed
(despite email to the security team).

Is there a URL outlining the policies and procedures of vuln.xml
maintenance?

Roger Marquis