doc: add security escalation policy

doc: add security escalation policy · nodejs/node@bd767c5

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,13 @@ you informed of the progress being made towards a fix and full announcement,`
`15`	`15`	`and may ask for additional information or guidance surrounding the reported`
`16`	`16`	`issue.`
`17`	`17`
	`18`	`+If you do not receive an acknowledgement of your report within 6 business`
	`19`	`+days, or if you cannot find a private security contact for the project, you`
	`20`	+may escalate to the OpenJS Foundation CNA at `security@lists.openjsf.org`.
	`21`	`+`
	`22`	`+If the project acknowledges your report but does not provide any further`
	`23`	`+response or engagement within 14 days, escalation is also appropriate.`
	`24`	`+`
`18`	`25`	`### Node.js bug bounty program`
`19`	`26`
`20`	`27`	`The Node.js project engages in an official bug bounty program for security`