Update security reporting and contribution text.

CONTRIBUTING.md

@@ -118,7 +118,7 @@ the source file and the copyright and licensing notice:
     //
     // Description of file contents.
     //
-    // Copyright YYYY by AUTHOR.
+    // Copyright © YYYY by AUTHOR.
     //
     // Licensed under Apache License v2.0.  See the file "LICENSE" for more
     // information.
@@ -330,7 +330,7 @@ typedef, for example:
 
 All constant names are uppercase with underscores between words, e.g.,
 `PDFIO_THIS_CONSTANT`, `PDFIO_THAT_CONSTANT`, etc.  Constants begin with the
-"PDFio\_" prefix to avoid conflicts with system constants.  Private constants
+"PDFIO\_" prefix to avoid conflicts with system constants.  Private constants
 start with an underscore, e.g., `_PDFIO_THIS_CONSTANT`,
 `_PDFIO_THAT_CONSTANT`, etc.
 
@@ -369,11 +369,12 @@ extensions MUST NOT be used.
 The following variables are defined in the makefile:
 
 - `AR`; the static library archiver command,
-- `ARFLAGS`; options for the static library archiver command,
+- `ARFLAGS`; options for the static library archiver,
 - `CC`; the C compiler command,
-- `CFLAGS`; options for the C compiler command,
+- `CFLAGS`; options for the C compiler,
 - `CODESIGN_IDENTITY`: the code signing identity,
 - `COMMONFLAGS`; common compiler optimization options,
+- `CPPFLAGS`; options for the C preprocessor,
 - `DESTDIR`/`DSTROOT`: the destination root directory when installing.
 - `DSO`; the shared library building command,
 - `DSOFLAGS`; options for the shared library building command,
@@ -395,4 +396,5 @@ The following standard targets are defined in the makefile:
   with debug printfs and the clang address sanitizer enabled.
 - `install`; installs all distribution files in their corresponding locations.
 - `install-shared`; same as `install` but also installs the shared library.
+- `macos`; same as `all` but creates a Universal Binary (X64 + ARM64).
 - `test`; runs the unit test program, building it as needed.

SECURITY.md

@@ -5,6 +5,25 @@ This file describes how security issues are reported and handled, and what the
 expectations are for security issues reported to this project.
 
 
+Reporting a Security Bug
+------------------------
+
+For the purposes of this project, a security bug is a software defect that
+allows a *local or remote user* to gain unauthorized access or privileges on the
+host computer or to cause the software to crash.  Such defects should be
+reported to the project security advisory page at
+<https://github.com/michaelrsweet/pdfio/security/advisories>.
+
+Alternately, security bugs can be reported to "security AT msweet.org" using the
+PGP public key below.  Expect a response within 5 business days.  Any proposed
+embargo date should be at least 30 days and no more than 90 days in the future.
+
+> *Note:* If you've found a software defect that allows a *program* to gain
+> unauthorized access or privileges on the host computer or causes the program
+> to crash, that defect should be reported as an ordinary project issue at
+> <https://github.com/michaelrsweet/pdfio/issues>.
+
+
 Responsible Disclosure
 ----------------------
 
@@ -50,14 +69,6 @@ example:
     1.0rc1
 
 
-Reporting a Vulnerability
--------------------------
-
-Report all security issues to "security AT msweet.org".  Expect a response
-within 5 business days.  Any proposed embargo date should be at least 30 days
-and no more than 90 days in the future.
-
-
 PGP Public Key
 --------------