[$] Security policies for GNU toolchain projects

While the CVE process was created in response to real problems, it's increasingly clear that CVE numbers are
creating problems of their own. At the 2023 GNU Tools Cauldron,
Siddhesh Poyarekar expressed the frustration that toolchain developers have
felt as the result of arguing with security researchers about CVE-number
assignments. In response, the GNU toolchain community is trying to better
characterize what is — and is not — considered to be a security-relevant
bug in its software.