docs: Clarify details for reporting security bugs

The kernel security team is regularly asked to provide CVE identifiers,
which we don't normally do. This updates the documentation to mention
this and adds some more details about coordination and patch handling
that come up regularly. Based on an earlier draft by Willy Tarreau.

Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>