Add SLO for severity::4 Low vulnerabilities

Why is this change being made?

Having no SLO for severity4 security vulnerabilities means they are highly unlikely to be prioritized and thus fixed. We want to make it very clear of the timeframe we want them fixed within because they are still vulnerabilities susceptible to exploiting.

Author Checklist

• Provided a concise title for the MR
• Added a description to this MR explaining the reasons for the proposed change, per say-why-not-just-what
  • Copy/paste the Slack conversation to document it for later, or upload screenshots. Verify that no confidential data is added.
• Assign reviewers for this change to the correct DRI(s)
  • If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the "Maintained by" section in on the page being edited.
  • If your manager does not have merge rights, please ask someone to merge it AFTER it has been approved by your manager in #mr-buddies.
• If the changes affect team members, or warrant an announcement in another way, please consider posting an update in #whats-happening-at-gitlab linking to this MR.
  • If this is a change that directly impacts the majority of global team members, it should be a candidate for #company-fyi. Please work with internal communications and check the handbook for examples.

Rollout plan

• Announce to #whats-happening-at-gitlab, #eng-managers and (anywhere else?...)
  • See below for suggested text
• Add due dates to automation for new issues: https://gitlab.com/gitlab-private/gl-security/engineering-and-research/automation-team/escalator/appsec-escalator/-/merge_requests/14+
• Identify all existing priority4 bugvulnerability and create an Epic linking them for prioritisation
  • Identify which, if any, need a due date of triage date + 180 days
  • Identify which, if any, can have a due date of now + 180 days
  • Mitigate the impact of many issues all coming due at the same time / in the same release

As of DATE all future S4/P4 security issues will have an SLO of 180 days. To ensure this is met, due dates will be automatically assigned to align with the closest security release before that date. Existing S4/P4s will be prioritised and given due dates in a separate effort.

---