Double our advance notification period

I've received multiple pleas from downstream stakeholders to give
longer notice before publication, since a week can be insufficient
time to prep roll-out or package updates for complex vulnerability
fixes spanning multiple projects and services.

Increase the advance notification from 3-5 business days to 5-10
business days in order to accommodate more complicated advisories,
at the coordinator's discretion.

Note that we can't go past this if we continue to notify the private
linux-distros mailing list at the same time, since their policy is
that anything disclosed to them must also be published to the
oss-security mailing list within two weeks.

Change-Id: I12d057f357b35f62a89654226baaa6c5b83e00dd
Signed-off-by: Jeremy Stanley <fungi@yuggoth.org>

doc/source/vmt-process.rst

@@ -221,7 +221,7 @@ Embargoed disclosure
 
 Once the patches are approved and the CVE is assigned, a signed
 email with the vulnerability description is sent to the downstream
-stakeholders. The disclosure date is set to 3-5 business days,
+stakeholders. The disclosure date is set to 5-10 business days,
 excluding Monday/Friday and holiday periods, at 1500 UTC. No
 stakeholder is supposed to deploy public patches before disclosure
 date. Once the email is sent, any stakeholders who reply requesting