Updates security.txt with compliant & up-to-date details

- `security@` is not a supported disclosure method
- We use H1 for our acknowledgements
- To be RFC compliant we need an expiry date (https://securitytxt.org/)
- RFC says canonical points to the security.txt file itself
- Adds some explanatory comments

See also: https://gitlab.com/gitlab-com/www-gitlab-com/-/merge_requests/108013