Improve vulnerability reporting process

[Marcono1234]

As part of reporting https://github.com/airlift/aircompressor/security/advisories/GHSA-973x-65j7-xcf4 for Aircompressor, I also tried to contact the maintainers here, and there were several problems:

• The SECURITY.md here recommends sending a mail to security@trino.io, but my mail was apparently ignored
• This repository also has private vulnerability reporting enabled (https://github.com/trinodb/trino/security/advisories/new; which is not mentioned in SECURITY.md), but my report https://github.com/trinodb/trino/security/advisories/GHSA-hg52-rhfq-x59c was ignored (?)
• I also created an issue (https://github.com/trinodb/trino/issues/20566), which was ignored as well (?)

Suggestions

• Pick either reporting per mail, or GitHub private vulnerability reporting; or in case you want to support both, mention both in SECURITY.md then Personally I would recommend GitHub private vulnerability reporting because it simplifies some things, e.g.
  • lower risk of mails getting lost or being considered as spam
  • private collaboration and requesting of CVE before advisory is published
  • working together on a fix in a private fork
• Actively check security@trino.io and the GitHub notifications for reports
• Communication This is probably most important. Please confirm when you received the report, confirm if you were able to reproduce it. Ask if something is unclear or you disagree with the reporter (maybe there is a misunderstanding). Describe your planned schedule for the fix or publication of the advisory, or mention if you need more time. The reporter usually does not expect that you immediately publish a fix, but just wants to make sure you are aware of the vulnerability and a fix is published eventually. The worst thing is when you don't respond and the vulnerability is then either never fixed, or the reporter decides to publicly disclose it or directly contacts MITRE. And then you as maintainers are surprised by it and have to rush a fix for it, which risks being incomplete; and your users might be vulnerable in the meantime.

[mosabua]

I am going to take this on @martint since I was already looking towards getting some openssf badges and such. Will work with you and @wendigo and others.