docs(security): use GitHub security advisories

SECURITY.md

@@ -4,18 +4,19 @@ We take security seriously. Responsible reporting and disclosure of security
 vulnerabilities is important for the protection and privacy of our users. If you
 discover any security vulnerabilities, please follow these guidelines.
 
-To report a vulnerability, we recommend submitting a report to Snyk using their
-[vulnerability disclosure form](https://snyk.io/vulnerability-disclosure/).
-Snyk's security team will validate the vulnerability and coordinate with you and
-us to fix it, release a patch, and responsibly disclose the vulnerability. Read
-Snyk's
-[Vulnerability Disclosure Policy](https://docs.snyk.io/more-info/disclosing-vulnerabilities/disclose-a-vulnerability-in-an-open-source-package)
-for details.
-
-We also request that you send an email to
-[[email protected]](mailto:[email protected]) detailing the vulnerability.
-This ensures that we can begin work on a fix as soon as possible without waiting
-for Snyk to contact us.
+Published security advisories are available on our [GitHub Security Advisories]
+page.
+
+To report a vulnerability, please draft a [new security advisory on GitHub]. Any
+fields that you are unsure of or don't understand can be left at their default
+values. The important part is that the vulnerability is reported. Once the
+security advisory draft has been created, we will validate the vulnerability and
+coordinate with you to fix it, release a patch, and responsibly disclose the
+vulnerability to the public. Read GitHub's documentation on [privately reporting
+a security vulnerability] for details.
+
+If you are unable to draft a security advisory, or if you need help or have
+security related questions, please send an email to [[email protected]].
 
 Please do not report undisclosed vulnerabilities on public sites or forums,
 including GitHub issues and pull requests. Reporting vulnerabilities to the
@@ -27,10 +28,18 @@ public, at which time you will be free to publish details of the vulnerability
 on public sites and forums.
 
 If you have a fix for a security vulnerability, please do not submit a GitHub
-pull request. Instead, report the vulnerability as described in this policy and
-include a potential fix in the report. Once the vulnerability has been verified
-and a disclosure timeline has been decided, we will contact you to see if you
-would like to submit a pull request.
+pull request. Instead, report the vulnerability as described in this policy.
+Once we have verified the vulnerability, we can create a [temporary private
+fork] to collaborate on a patch.
 
 We appreciate your cooperation in helping keep our users safe by following this
 policy.
+
+[github security advisories]: https://github.com/json5/json5/security/advisories
+[new security advisory on github]:
+ https://github.com/json5/json5/security/advisories/new
+[privately reporting a security vulnerability]:
+ https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability
+[[email protected]]: mailto:[email protected]
+[temporary private fork]:
+ https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability