Clarify date fields

[zmanion]

Discussed on the 2023-07-11 AWG call, better clarify the semantics of these date fields.

dateReserved
The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

dateAssigned
The date/time this CVE ID was associated with a vulnerability by a CNA.

datePublished
The date/time the CVE Record was first published in the CVE List.

datePublic
If known, the date/time the vulnerability was disclosed publicly.

dateReserved and datePublished are set by the Services.

dateAssigned and datePublic are optional and set by the CNA.

Before CVE Services, dateReserved and dateAssigned were more important for keeping track and state of CVE IDs. Post-Services, dateAssigned doesn't matter much to the Program overall, although individual CNAs may use it. I don't think the Services have an "assigned" state.

Copied from CVEProject/automation-working-group#119

[sei-vsarvepalli]

Should probably go in to the best practices, see #241. The current document is scoped for Affected Product only, this date information should be part of such a document.