Describe dispute process

[scovetta]

We need to describe the dispute process / workflow. If someone disagrees with a review (meaning, it conflicts with the OpenSSF code of conduct, contains false or misleading material, is inaccurate, requires additional important context, contains a 0-day, etc.) -- how can they dispute it?

Perhaps:

• Step 1 - Open an issue with the details on the security-reviews project. Resolve it that way.
• Step 2 - (If not resolved), open an issue on the tac project. Resolve it that way.

Do we need a way to privately handle disputes? If so, maybe we can set up a private OpenSSF mailing list?

I'm hoping these cases are few and far between, but we should table-top this to be sure we know it'll work.

We also have a more practical issue -- once a PR is raised, the issue should be considered public. We can't erase the content from the Internet, and we shouldn't try to do unnatural thing to the repository except for the most extreme cases.

• [ ] Include dispute resolution in the tabletop exercise.
• [ ] Consider a private mailing list for sensitive dispute resolution.
• [ ] Create PR templates that make it clear what kind of content to accept/not accept.
• [ ] Consider a PR build job that attempts to identify 0-day or inappropriate language and blocks the PR.