Add security notice with new policies.

src/pages/en/about/security-notice.md

@@ -1,30 +1,24 @@
 ---
 title: Security Notice
-description: How to report a security vulnerability in one of our projects.
+description: How to report a security vulnerability in a Quilt project.
 layout: /src/layouts/Page.astro
 ---
 
-This is the security notice for all QuiltMC repositories. The notice explains how security vulnerabilities should be reported. We also support the [security.txt](/.well-known/security.txt) standard.
+This notice details how to report any security vulnerabilities you find in a QuiltMC project. Please **do not** use GitHub issues or other public spaces (Discord, the Quilt Forum, etc.) to report security vulnerabilities.
 
-# Reporting a Vulnerability
+## What to include
+When submitting your report, please include the following:
+- Details about where the vulnerability can be found.
+- A brief description of the vulnerability.
+- Steps to reproduce the vulnerability.
+- Screenshots, recordings or logs showing the vulnerability being exploited, if possible.
 
-If you've found a vulnerability, please let us know privately so that we can fix it before it is released publicly. **Do not open a GitHub issue to report a security vulnerability.**
+## Reporting via GitHub
+The preferred way to report a vulnerability is to submit a [Private Vulnerability Report](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability) on GitHub. These are private GitHub issues which are only accessible to repository maintainers.
 
-Send details to [[email protected]](mailto:[email protected]), including:
+To submit a private vulnerability report, go to the relevant repository, click the **Security** tab, click **Report a vulnerability** and fill out the form. Please give as much detail as you can, including the type of vulnerability and detailed reproduction steps. After you submit the report, you can optionally create a private fork of the repository in question, which you can use to submit a patch for the vulnerability you're reporting.
 
-* The website, page, tool or repository where the vulnerability can be observed
-* A brief description of the vulnerability
-* Optionally the type of vulnerability and any related [OWASP category](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project)
-* Non-destructive exploitation details and proof of concept
+## Reporting via email
+Alternatively, you can submit your report by emailing [[email protected]](mailto:[email protected]). If you would like to encrypt your email, you can use [this GPG key](/.gpg/administrative-board.gpg).
 
-We will do our best to reply as fast as possible. [A PGP key is available](/.gpg/administrative-board.gpg) if you'd like to encrypt the email.
-
-## Scope
-The following vulnerabilities are not in scope:
-
-* Volumetric vulnerabilities, for example overwhelming a service with a high volume of requests
-* Reports indicating that our services do not fully align with “best practice”, for example missing security headers
-
-If you aren't sure whether a vulnerability is in scope or not, you can still reach out via email.
-
-This notice is inspired by the [GDS Security Notice](https://github.com/alphagov/.github/blob/master/SECURITY.md).
+This notice was partially inspired by the UK's [GDS security notice](https://github.com/alphagov/.github/blob/main/SECURITY.md)