Noting corner-case in CPEPrefix instructions.

Also, removing conflicting wording about what to do if there's
no CPE available.

R=dcheng@chromium.org

Bug: 895969
Change-Id: I17916054d78882b9a57a0067de5507a592292727
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2144611Reviewed-by: Charlie Reis <creis@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Commit-Queue: Adrian Taylor <adetaylor@chromium.org>
Auto-Submit: Adrian Taylor <adetaylor@chromium.org>
Cr-Commit-Position: refs/heads/master@{#760184}

docs/adding_to_third_party.md

@@ -138,8 +138,10 @@ are typically allocated only when a vulnerability is found. You should follow
 the version number convention such that, when that does occur in future, we'll
 be notified. If no CPE is available, please specify "unknown".
 
-You may sometimes find that your package lacks a CPE, in which case this line
-can be omitted. If it does have a CPE, though, you should specify it.
+If you're using a patched or modified version which is halfway between two
+public versions, please "round downwards" to the lower of the public versions
+(it's better for us to be notified of false-positive vulnerabilities than
+false-negatives).
 
 ### Add a LICENSE file and run related checks
 

third_party/README.chromium.template

@@ -8,7 +8,7 @@ License: The license under which the package is distributed. Standard forms are
 License File: (OPTIONAL) File that contains a copy of the package's license. Use the special value NOT_SHIPPED to indicate that the package is not included in the shipped product, so its license does not need to be included in about:credits and no license file is required.
 Security Critical: Either yes or no depending on whether this package is shipped in releases. For example openssl is critical where cygwin is not.
 License Android Compatible: (OPTIONAL) Whether the package uses a license compatible with Android. Required only if the package is compatible and the 'License' field uses a non-standard value.
-CPEPrefix: (OPTIONAL) A 'common platform enumeration' version 2.2, as per https://nvd.nist.gov/products/cpe/search, which represents the upstream package. This will be used to report known vulnerabilities in the upstream software package, such that we can be sure to merge fixes for those vulnerabilities. Please ensure you're using the closest applicable upstream version, according to the standard format for the CPE for that package. For example, cpe:/a:xmlsoft:libxslt:1.0.10. If no CPE is available for the package, please specify "unknown".
+CPEPrefix: (OPTIONAL) A 'common platform enumeration' version 2.2, as per https://nvd.nist.gov/products/cpe/search, which represents the upstream package. This will be used to report known vulnerabilities in the upstream software package, such that we can be sure to merge fixes for those vulnerabilities. Please ensure you're using the closest applicable upstream version, according to the standard format for the CPE for that package. For example, cpe:/a:xmlsoft:libxslt:1.0.10. If no CPE is available for the package, please specify "unknown". If you're using a patched or modified version which is halfway between two public versions, please "round downwards" to the lower of the public versions (it's better for us to be notified of false-positive vulnerabilities than false-negatives).
 
 Description:
 A short description of what the package is and is used for.