docs: update security policy and add CVE info

[dpgaspar]

SUMMARY

By Apache Foundation recommendation this PR adds a comprehensive list of currently public CVEs by release to our docs
Also updates our current security policy to make it more comprehensive and adds a link to the CVEs.

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[rusackas]

I love it! Thank you for adding this. I guess just one question around the policy for the CVE page. It seems we have a few options, and I'm curious your intent:

1. We can keep adding new versions, and maintaining the lists for the old versions
2. We can keep adding new versions, and backfill prior versions as well
3. We can add/trim entries to cover only the supported releases (last two major and/or minor versions, and patches thereof).

[dpgaspar]

I love it! Thank you for adding this. I guess just one question around the policy for the CVE page. It seems we have a few options, and I'm curious your intent:

1. We can keep adding new versions, and maintaining the lists for the old versions
2. We can keep adding new versions, and backfill prior versions as well
3. We can add/trim entries to cover only the supported releases (last two major and/or minor versions, and patches thereof).

My take is to handle this like a release note, so when a CVE is made public (normally a bit after a new release) we just append to the doc. So this means the CVEs are inserted on the release where they got solved. So 1 or 3.

What do you think?