clarify on issue handling/re-use and escalation upstream

Why is this change being made?

As agreed in the AppSec sync we'd like to clarify on how the AppSec team handles bug bounty submissions which might apply to third parties.

Does this MR meet the acceptance criteria?

Conformity

• Added description to this MR explaining the reasons for the proposed change, per say-why-not-just-what