Clarify process: keep work on security issues fully confidential.

This is already pretty much the way we work now, but there are edge cases where we were not always working from a confidential issue, and this provides clarity in that regard.

@briann please review and merge if OK.