Additional criteria from Best Practices Badge

[david-a-wheeler]

Though baseline tries to have relatively few criteria compared to the OpenSSF Best Practices badge, I think there are still some that should be considered. I looked at this mapping to see which ones weren't mapping, and these seemed especially important to me:

• If private vulnerability reports are supported, the project MUST include how to send the information in a way that is kept private.
• The project MUST have at least one primary developer who knows how to design secure software. (See ‘details’ for the exact requirements.)
• At least one of the project's primary developers MUST know of common kinds of errors that lead to vulnerabilities in this kind of software, as well as at least one method to counter or mitigate each of them.
• The public repositories MUST NOT leak a valid private credential (e.g., a working password or private key) that is intended to limit public access.
• The project results MUST check all inputs from potentially untrusted sources to ensure they are valid (a whitelist), and reject invalid inputs, if there are any restrictions on the data at all.
• Upgrade static_analysis_common_vulnerabilities from SUGGESTED to MUST: "A project MUST use at least one static analysis tool with rules or approaches to look for common vulnerabilities in the analyzed language or environment, if there is at least one FLOSS tool that can implement this criterion in the selected language."
• "A project MUST implement continuous integration, where new or changed code is frequently integrated into a central code repository and automated tests are run on the result."
• The project MUST have a reproducible build. (at top tier)

That doesn't mean the others are irrelevant, but these seem important to investigate.