[$] Security policies for GNU toolchain projects

While the CVE process was created in response to real problems, it's increasingly clear that CVE numbers arecreating problems of their own. At the 2023 GNU Tools Cauldron,Siddhesh Poyarekar expressed the frustration that toolchain developers havefelt as the result of arguing with security researchers about CVE-numberassignments. In response, the GNU toolchain community is trying to bettercharacterize what is - and is not - considered to be a security-relevantbug in its software.