SECURITY.md: Wordsmithing and clarifications

- Clarify that encrypted e-mail is optional.
- Mention the new GitHub security advisory system.
- Clarify that vulnerabilities against new features that are not yet in
  a Stable release series need not be reported securely.

.github/SECURITY.md

@@ -2,8 +2,21 @@
 
 ## Supported Versions
 
-Any branch/release series that is in the [Next-Gen, Active, Maintenance, or Extended support category](https://libjpeg-turbo.org/DeveloperInfo/Versioning) is eligible for security updates.
+Fixes for security vulnerabilities are applied to any applicable branch/release
+series that is in the
+[Next-Gen, Active, Maintenance, or Extended support category](https://libjpeg-turbo.org/DeveloperInfo/Versioning).
 
 ## Reporting a Vulnerability
 
-To securely report vulnerabilities, [contact the project admin](https://libjpeg-turbo.org/About/Contact) using GPG-encrypted e-mail.
+Vulnerabilities can be reported in one of the following ways:
+
+- [E-mail the project admin](https://libjpeg-turbo.org/About/Contact).  You can
+  optionally encrypt the e-mail using the provided public GPG key.
+- Open a
+  [GitHub draft security advisory](https://github.com/libjpeg-turbo/libjpeg-turbo/security/advisories/new).
+- [Alpha/Evolving, Beta, and Post-Beta release series](https://libjpeg-turbo.org/DeveloperInfo/Versioning)
+  are not expected to be free of bugs, so vulnerabilities that affect only
+  those release series (for example, vulnerabilities introduced by a new
+  feature that is not present in a Stable release series) can optionally be
+  reported using a
+  [GitHub bug report](https://github.com/libjpeg-turbo/libjpeg-turbo/issues/new/choose).