I don't think its right to set a strict time limit

why not? most security policies for larger projects do (this PR is loosening it from 48 hours to 3 working days)

Node has

Normally, your report will be acknowledged within 5 days, and you'll receive a more detailed response to your report
within 10 days indicating the next steps in handling your submission. These timelines may extend when our triage 
volunteers are away on holiday, particularly at the end of the year.

I think a detailed response in 3 days is too short and for no reason, I'd follow Node with 10 days

I agree, a little more time would be great.

I'm able to do 24-48 hours on all my projects without any of those things - responding to an email takes 30 seconds. Perhaps a longer time for the detailed triage, but do we really need a long time for the acknowledgement?

I don't think it should be a long time either, 7 days for the second contact would be fine in my opinion.

I think for us the main issue has been that we have a triage team but no clear delineation for who will reply and so we raise the issues and then unless someone volunteers it can sit. Like the one I just replied to had been sitting for 7 days because when I posted it to the triage channel I was busy with other things and could not immediately do more than copy the text from my phone into the slack. Obviously we can try to send teh 30 "ack" email, and if we think that is better than fine, but many of these we reply with having done at least an initial investigation. Not saying I am attached to that, just pointing it out because then 7 days makes more sense if we want to just once.

I actually preferred that an email be sent saying that it was received and then do the relevant investigation, rather than waiting to do part of the investigation before communicating anything to the reporter.

I will merge the PR, seems like we are aligned based on the last discussions done in the TC Meetings. Also I solved the conflict 😉