Documentation: security-bugs.rst: clarify CVE handling

The kernel security team does NOT assign CVEs, so document that properly
and provide the "if you want one, ask MITRE for it" response that we
give on a weekly basis in the document, so we don't have to constantly
say it to everyone who asks.

Link: https://lore.kernel.org/r/2023063022-retouch-kerosene-7e4a@gregkh


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>