docs: flesh out security policy

Author: achesin

SECURITY.md

@@ -8,6 +8,11 @@
 
 ## Reporting a Vulnerability
 
-You can report a vulnerability, via Github or mail to [email protected]
+If you have discovered a security vulnerability in this project, please report it privately. **Do not disclose it as a public issue.**
+This gives us time to work with you to fix the issue before public exposure, reducing the chance that the exploit will be used before a patch is released.
 
-You will receive a feedback typical within 72h. 
+You can report a vulnerability
+- via our [security advisory](https://github.com/Dexus/pem/security/advisories/new) following [GitHub's private vulnerability reporting feature](https://docs.github.com/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability) 
+- email to [email protected]
+
+You will receive feedback typically within 72h.