Requirement: Publicly known medium-high vulnerabilities unpatched for +60 days

Original discussion: https://github.com/nodejs/security-wg/pull/954/files#r1179651456
 @mhdawson 

> There MUST be no unpatched vulnerabilities of medium or higher severity that have been publicly known for more than 60 days.

