security: add the security bug tracker

Add a description of the security bug tracker and describe how to correctly
create issues. Email and GPG key of the team will be added further.

Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>

definitions.rst

@@ -5,3 +5,4 @@
 .. |contact_info| replace:: <TBD>
 .. |security_contact| replace:: <TBD>
 .. |security_public_key| replace:: <TBD>
+.. |security_bugtracker| replace:: <https://git.ostc-eu.org/security-team/security-bugs/-/issues>

security/cve_policy.rst

@@ -24,15 +24,21 @@ How to report a vulnerability?
 
 If you think you have found a security issue in our distribution, please contact
 us immediatelly by posting a confidential issue in our bug tracker in a
-dedicated security project (include details on how to make it confidential), or
-by email using the address |security_contact|.
+dedicated `security project |security_bugtracker|`.
+
+To do so, login into our issue tracker or create a new account if you do not have one
+yet. Click on ``New issue``, then make sure to check the checkbox at the bottom 
+'This issue is confidential and should only be visible to team members with at least 
+Reporter access'. Please use the 'Issue' type of ticket and the associated template.
+Fill in the title, answer the questions in the 'Description' field.
+Then click 'Create issue'.
 
 Your report should contain a description of the issue, the steps you took to
 reproduce the issue (including the image name), affected versions, and, if
 known, any mitigations for the issue.
 
-If desired, you can also use GPG-encrypted email using our public key
-|security_public_key|.
+We plan to add a security-related mailing list and a possibility to send
+GPG-encrypted email in the near future.
 
 We aim to acknowledge the reception within one working day, and responding with
 a first assessment within three working days. We follow a 90 days disclosure