[CNCF Graduation] [Security] Enhance SECURITY.md: Reporting, Supported Versions, and Early Disclosure

[kfaseela]

Buildpacks currently has a security contact (security@buildpacks.io) documented in SECURITY.md.

To further align with CNCF Graduation expectations and best practices, we suggest adding or clarifying the following:

• Expected Contents of a Security Report: guidance on what information to include (affected versions, steps to reproduce, impact, logs).
• Response Workflow and Timelines: clarify acknowledgment timelines, follow-up procedures, and roles responsible for handling reports.
• Supported Versions: document which Buildpacks versions are actively supported for security fixes.
• Early Disclosure / Security Mailing List: provide instructions for joining an early disclosure list or alias, if available, for coordinated security notifications.
• Public Disclosure Mechanism: explain how resolved vulnerabilities will be publicly communicated (e.g., GitHub Security Advisory, release notes, mailing list).

These enhancements build on the existing security contact/email, improve transparency, and provide clear guidance for contributors and users reporting vulnerabilities.

Reference: (e.g., Crossplane SECURITY.md)