doc/triage.md: explain "waiting analysis"

Say that we should write a report if the NIST page says "awaiting analysis".

Change-Id: Ieabecd3743b6495c679650e950a466f5846aec70
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/555895
Run-TryBot: Jonathan Amsterdam <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>

Author: jba

doc/triage.md

@@ -216,3 +216,11 @@ Commonly missing packages include:
 
 - libgpgme-dev
 - libdevmapper-dev
+
+### "awaiting analysis"
+
+When the NIST page says "AWAITING ANALYSIS", write the report; don't wait for them
+to finish their analysis. "Awaiting analysis" just means that NVD hasn't yet looked
+at the vulnerability and assigned a severity score/CWE etc. Since we don't care about
+those pieces of information, we can ignore that banner and just create a report if
+the vulnerability is in scope for our database.