Vulnerabilities are created as confidential by default - backstage
### Problem to solve
The [backstage implementation of the First-class Vulnerabilities](#10242) has introduced the Vulnerability entity. The [MVC Standalone Vulnerability objects](#13561) will provide the frontend representation for these objects. But currently, they are created as "visible by anyone object".
### Intended users
* [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst)
### Proposal
According to [engineering discovery](https://gitlab.com/gitlab-org/gitlab/issues/10252#interactions), Vulnerabilities should be created confidential by default. Confidential Vulnerabilities should work in the same way as [Confidential Issues](https://docs.gitlab.com/ee/user/project/issues/confidential_issues.html#confidential-issues) from the UX and permissions perspective.
### Permissions and Security
Copy the confidential Issues permissions model to Vulnerabilities
### Documentation
- [-] ~~Update the `Vulnerabilities user docs page`~~ this is not required, it's enough to update the [Permissions page stub](!17364), which [has already been performed](https://gitlab.com/gitlab-org/gitlab/merge_requests/17364/diffs?commit_id=765eb4f443d7d346ad45193ee2e33173cb624509).
- [-] ~~Update the `Create a Vulnerability from Finding API docs entry`~~ the same
### Testing
See [the development log](#development-log).
### What does success look like, and how can we measure that?
GitLab users won't have the vulnerabilities information disclosed for their projects.
### What is the type of buyer?
~"GitLab Ultimate"
### Links / references
### Development log
#### Status
- [x] Introduce new permission `read_vulnerability` for `read` operations on Vulnerabilities as an alias for `read_project_security_dashboard` ability
- [-] ~~Implement the `VulnerabilityPolicy` rules for confidentiality similarly to `IssuePolicy` and use the `read_vulnerability` ability as a prerequisite for all checks~~ There's no need in separate `VulnerabilityPolicy`, everything can be decided at `EE::ProjectPolicy`
- [ ] Add new tests
- [x] New access tests for `GET /projects/:id/vulnerabilities` endpoint
- [ ] New access tests for `create_vulnerability`
- [ ] First, wait for !18283 is merged
- [ ] `Vulnerabilities::CreateService`
- [ ] `POST /projects/:id/vulnerabilities` endpoint
- [x] New access tests for `resolve_vulnerability`
- [x] `Vulnerabilities::ResolveService`
- [x] `POST /vulnerabilities/:id/resolve` endpoint
- [x] New access tests for `dismiss_vulnerability`
- [x] `Vulnerabilities::DismissService`
- [x] `POST /vulnerabilities/:id/dismiss` endpoint
#### Decisions
- Vulnerabilities are confidential but [the minimum access level required is `Developer`](https://gitlab.com/gitlab-org/gitlab/issues/34430#note_237246914)
- There's no need in separate `VulnerabilityPolicy`, everything can be decided at `EE::ProjectPolicy`
issue