SECURITY.md: keep only GitHub private advisories, drop SLA

SECURITY.md

@@ -11,25 +11,20 @@ get fixes; please upgrade first.
 
 ## How to report a vulnerability
 
-**Please do not open a public issue** for security-sensitive findings. Use one
+**Please do not open a public issue** for security-sensitive findings.
-of these private channels instead:
 
-1. **Preferred:** GitHub's private security advisories.
+Use GitHub's private security advisories: go to the
-   Go to the [Security tab](../../security/advisories/new) of this repo and
+[Security tab](../../security/advisories/new) of this repo and click
-   click "Report a vulnerability". GitHub will route it to me privately.
+"Report a vulnerability". GitHub will route it privately.
-2. **Email:** `engelgardt2024@gmail.com` with the subject prefix `[security]`.
 
 Please include:
-- The version of `dhcpsrv` you tested (output of the startup banner is enough).
+- The version you tested (the startup banner is enough).
 - Steps to reproduce, ideally with a packet capture or a short script.
 - An assessment of impact (LAN-only? remote? admin needed? etc.).
 
-## What to expect
+Reports are reviewed and addressed on a best-effort basis. A fix and a public
-
+advisory will be published once the issue is resolved. Reporters are credited
-- Acknowledgement within **3 business days**.
+unless they prefer to stay anonymous.
-- A first technical reply within **7 business days**.
-- A fix and a public advisory once the issue is resolved. Reporters are
-  credited unless they prefer to stay anonymous.
 
 ## Out of scope