docs: include CNA Escalation in the security policy (#13)

* docs: include CNA Escalation in the security policy

References: 
- openjs-foundation/cross-project-council#1588
- https://openjsf.org/blog/openjs-foundation-cna

* chore: rewording

Author: UlisesGascon

SECURITY.md

@@ -19,7 +19,11 @@ To securely report a vulnerability, please open an advisory on the affected GitH
     3. Issue a security advistory through GitHub.
     4. Write a blog post about the vulnerability.
     5. Notify Tidelift about the vulnerability.
- 
+
+If you do not receive an acknowledgement of your report within six business days, or if you cannot find a private security contact for the project, you may escalate to the OpenJS Foundation CNA at `security@lists.openjsf.org`.
+
+If the project acknowledges your report but does not provide any further response or engagement within 14 days, escalation is also appropriate.
+
 ## Security Advisories
 
 Security advisories are only issued when a confirmed vulnerability can be exploited by a non-local actor. Because ESLint and its related packages are primarily used as development dependencies on local machines, there are no security concerns related to regular expression performance or other problems that could bring down a public-facing server. These issues should be filed as bug reports instead of advisories.