refactor[docs]: refactor security policy

SECURITY.md

@@ -2,58 +2,41 @@
 
 ## Supported Versions
 
-Vyper is currently in limited beta.
-This means that we only support the latest release and that you may encounter issues using it.
-It is un-audited software, use with caution.
+- each Vyper version in the range `<v0.1.0-beta.1, 0.3.10>` contains a high severity vulnerability
+  - if developing with such versions, please read https://github.com/vyperlang/vyper/security/advisories to learn how to work around the vulnerabilities
+- as of May 2024, the `0.4.0` release is the most secure and the most comprehensively reviewed one and is recommended for use in production environments
+- if a compiler vulnerability is found, a new compiler version with a patch will be released. The vulnerable version itself is not updated.
 
-## Audit reports
+## Compiler Audits
 
-Vyper is constantly changing and improving.
-This means the latest version available may not be audited.
-We try to ensure the highest security code possible, but occasionally things slip through.
+- Vyper is conducts recurring security audits with multiple firms. Additionally, a competitive audit with [CodeHawks](https://www.codehawks.com/contests/cll5rujmw0001js08menkj7hc) was conducted during the fall of 2023.
+- all Vyper audits can be found in a separate repository: [vyperlang/audits](https://github.com/vyperlang/audits)
 
-### Compiler Audits
 
-At specific releases, we conduct audits with experienced security professionals to ensure that the codebase quality is high,
-and that we minimize the chance of critical bugs as much as possible.
+## Known Vyper Vulnerabilities
 
-Here are the audits we have undergone in the past:
-
-| Audit Type | Audit Date | Auditor | Version | Report Link |
-| ---------- | ---------- | ------- | ------- | ----------- |
-| Preliminary Review | October 28, 2019 | [ConsenSys Diligence](https://consensys.net/diligence/) | 0.1.0b13 | https://consensys.net/diligence/audits/2019/10/vyper/ |
-
-### Major Project Audits
-
-Please read prior audit reports for projects that use Vyper here:
-
-<!-- Please use the tagged version if possible, or commit hash if a non-tagged version was used. -->
-
-| Project | Version | Report Link |
-| ------- | ------- | ----------- |
-| [Uniswap](https://uniswap.io) | 35038d2 | https://medium.com/consensys-diligence/uniswap-audit-b90335ac007 |
-| [Computable](https://github.com/computablelabs/computable) | 0.1.0b10 | https://github.com/trailofbits/publications/raw/master/reviews/computable.pdf |
-
-## Known Vyper Vulnerabilities and Exposures (VVEs)
-
-The link below is a list of all publicly disclosed vulnerabilities and exposures.
+- The link below is a list of all publicly disclosed vulnerabilities and exposures.
 Best Practices dictate that when we are first made aware of a potential vulnerability,
-we take the precaution of assessing it's potential impact to deployed projects first.
+we take the precaution of assessing its potential impact to deployed projects first.
 When we are confident that a disclosure will not impact known projects that use Vyper,
 we will add an entry to the list of security advisories for posterity and reference by others.
 
-https://github.com/vyperlang/vyper/security/advisories
+  - list of publicly known vulnerabilities: https://github.com/vyperlang/vyper/security/advisories
+
+
+## Bug Bounty Program
+- as of May 2024, Vyper does not have a bug bounty program. It is planned to instantiate one in the near future.
 
 ## Reporting a Vulnerability
 
-If you think you have found a security vulnerability with a project that has used Vyper,
+If you think you have found a security vulnerability caused by the compiler with a project that has used Vyper,
 please report the vulnerability to the relevant project's security disclosure program prior
-to reporting to us. If one is not available, submit it at https://github.com/vyperlang/vyper/security/advisories.
+to reporting to us. Additionally, please submit the compiler vulnerability at https://github.com/vyperlang/vyper/security/advisories.
 
 **Please Do Not Log An Issue** mentioning the vulnerability.
 
-If you have contacted the relevant project, or you have found something that you do not think affects
-a particular project, please also email your vulnerability to security@vyperlang.org. Our PGP key is:
+
+The Vyper team can also be reached via email at security@vyperlang.org. Our PGP key is:
 ```
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: OpenPGP.js v4.7.2