chore(security.md): add more precisions regarding sec bugs reporting (#2692)

* chore(security.md): add more precisions regarding sec bugs reporting

Signed-off-by: machine424 <[email protected]>

* address review feedback

Signed-off-by: machine424 <[email protected]>

---------

Signed-off-by: machine424 <[email protected]>

Author: machine424

docs/operating/security.md

@@ -23,12 +23,22 @@ This page describes the general security assumptions of Prometheus and the
 attack vectors that some configurations may enable.
 
 As with any complex system, it is near certain that bugs will be found, some of
-them security-relevant. If you find a _security bug_ please report it
-privately to the maintainers listed in the MAINTAINERS of the relevant
+them security-relevant.
+
+For _security bugs_ that have already been publicly disclosed (e.g. via public CVEs)
+and require more than just a dependency version bump to fix, please open a
+[Bug report](https://github.com/prometheus/prometheus/issues) including all relevant
+details, unless one has already been filed.
+
+If you discover a _security bug_ that has not yet been publicly disclosed, please
+report it privately to the maintainers listed in the MAINTAINERS of the relevant
 repository and CC [email protected]. We will fix the issue as soon
-as possible and coordinate a release date with you. You will be able to choose
-if you want public acknowledgement of your effort and if you want to be
-mentioned by name.
+as possible and coordinate a release date with you. You will be able to choose if
+you want public acknowledgement of your effort and if you want to be mentioned by name.
+
+Most dependency version updates are handled automatically. However, if a _security bug_
+fix only requires updating a dependency version and our automation missed it, feel
+free to submit the update directly.
 
 ## Automated security scanners