Write Runbooks for Addressing CVEs

[noelmiller]

When dealing with #553, I noticed we did not have a defined plan for dealing with CVEs. I think it would be valuable to have a runbook on how to address CVEs.

I think we should also include information in the contributing guide about how to responsibly disclose CVEs to the team.

Rough information that should go in the runbook: (thanks @bsherman)

1. create a "war room" thread in #ublue-dev
2. pause all dev work (PR merges, extraneous Github builds) until CVE is handled or agreed to allow parallel efforts
3. coordinate to write our own announcement
4. test images/builds as needed