Update security policy

Created by: nicksnyder

Remove distinction for sourcegraph.com since we are prioritizing working on it this year.

Clarify that we wait until our customers have a chance to upgrade.

Move "how to report a security vulnerability" content to handbook since that is an engineering process. This separates the marketing content of how our product deals with security and how we respond to security incidents. The former already links to the latter.