Clarify the 96-hour vulnerability remediation process

[BenWilson-Mozilla]

Occasionally, the NetSec group has received comments that the 96-hour process for remediation of critical vulnerabilities in section 4.f. needs to be clarified.

[clintwilson]

1. Align with more common frameworks/timelines for vuln remediation
2. Add requirements for non-critical vulns
3. Ensure clarity of requirement
4. Align scope (ideally through a scoping of the entire NCSSRs)

[BenWilson-Mozilla]

Close because handled by Ballot NS-004.