docs: add a note about reporting security vulns (#5541)

We *do* have the occasional security issue, where it would be nice to have
non-public disclosure and time to fix the issue before it's fully public. Our
github infrastracture does not make it easy to report vulnerabilities in
confidential manner, so let's leverage the distro mechanisms for that. I
think we're better off with this solution than leaving it up to individual
reporters to discover some mechanism on their own.