[PATCH 4.19 270/323] Documentation: security-bugs.rst: clarify CVE handling