Update SECURITY.md

Author: asmyasnikov

SECURITY.md

@@ -1,21 +1,21 @@
 # Security Policy
 
-## Supported Versions
+## Reporting a Vulnerability
 
-Use this section to tell people about which versions of your project are
-currently being supported with security updates.
+We're extremely grateful for security researchers and users who report vulnerabilities they discovered in YDB. All reports are thoroughly investigated.
 
-| Version | Supported          |
-| ------- | ------------------ |
-| 5.1.x   | :white_check_mark: |
-| 5.0.x   | :x:                |
-| 4.0.x   | :white_check_mark: |
-| < 4.0   | :x:                |
+To report a potential vulnerability in YDB please email details to [[email protected]](mailto:[email protected]).
 
-## Reporting a Vulnerability
+### When Should I Report a Vulnerability?
+
+- You think you discovered a potential security vulnerability in YDB
+- You are unsure how a vulnerability affects YDB
+
+## Security Vulnerability Response
+
+Each report is acknowledged and analyzed by YDB maintainers within 5 working days.
+We will keep the reporter informed about the issue progress.
 
-Use this section to tell people how to report a vulnerability.
+## Public Disclosure Timing
 
-Tell them where to go, how often they can expect to get an update on a
-reported vulnerability, what to expect if the vulnerability is accepted or
-declined, etc.
+A public disclosure date is negotiated by YDB maintainers and the bug submitter. We prefer to fully disclose the bug as soon as possible once a mitigation is available for YDB users. It is reasonable to delay disclosure when the bug or the fix is not yet fully understood, the solution is not well-tested, or for vendor coordination. The timeframe for disclosure is from immediate (especially if it's already publicly known) to 90 days. For a vulnerability with a straightforward mitigation, we expect report date to disclosure date to be on the order of 7 days.