docs: updated the vulnerability reporting process and added escalation steps

Ref: https://github.com/openjs-foundation/cross-project-council/pull/1588

Closes gh-5701

SECURITY.md

@@ -6,7 +6,29 @@ The [latest released version](https://github.com/jquery/jquery/releases) of jQue
 
 ## Reporting a Vulnerability
 
-Please email security@jquery.com, and we will respond as quickly as possible.
+Please report security issues **privately**:
 
-If the vulnerability is considered valid and accepted, a patch will be made for the latest jQuery version.
-If the vulnerability is deemed invalid, no further action is required.
+- Email: security@jquery.com
+
+**Do not** file public GitHub issues for security problems.
+
+When reporting, please include:
+- Affected project/repo and version(s)
+- Impact and component(s) involved
+- Reproduction steps or PoC (if available)
+- Your contact and preferred credit name
+
+If you do not receive an acknowledgement of your report within **6 business days**, or if you cannot find a private security contact for the project, you may **escalate to the OpenJS Foundation CNA** at `security@lists.openjsf.org`.
+
+If the project acknowledges your report but does not provide any further response or engagement within **14 days**, escalation is also appropriate.
+
+## Coordination & Disclosure
+
+Important:
+- If the vulnerability is considered valid and accepted, a patch will be made for the latest jQuery version.
+- If the vulnerability is deemed invalid, no further action is required.
+
+We follow coordinated vulnerability disclosure:
+- We will acknowledge your report, assess impact, and work on a fix.
+- We aim to provide status updates at reasonable intervals until resolution.
+- We will publish a security advisory (and **CVE via the OpenJS CNA when applicable**) once a fix or mitigation is available. We credit reporters by default unless you request otherwise.