Revise security policy and reporting instructions (#5096)

* Revise security policy and reporting instructions

Updated the security reporting process and contact details.

* Update .github/security.md
---------

.github/security.md

@@ -1,50 +1,12 @@
 ## CrewAI Security Policy
 
-We are committed to protecting the confidentiality, integrity, and availability of the CrewAI ecosystem. This policy explains how to report potential vulnerabilities and what you can expect from us when you do.
-
-### Scope
-
-We welcome reports for vulnerabilities that could impact:
-
-- CrewAI-maintained source code and repositories
-- CrewAI-operated infrastructure and services
-- Official CrewAI releases, packages, and distributions
-
-Issues affecting clearly unaffiliated third-party services or user-generated content are out of scope, unless you can demonstrate a direct impact on CrewAI systems or customers.
+We are committed to protecting the confidentiality, integrity, and availability of the
+CrewAI ecosystem.
 
 ### How to Report
 
-- **Please do not** disclose vulnerabilities via public GitHub issues, pull requests, or social media.
-- Email detailed reports to **security@crewai.com** with the subject line `Security Report`.
-- If you need to share large files or sensitive artifacts, mention it in your email and we will coordinate a secure transfer method.
+Please submit reports to **crewai-vdp-ess@submit.bugcrowd.com**
 
-### What to Include
-
-Providing comprehensive information enables us to validate the issue quickly:
-
-- **Vulnerability overview** — a concise description and classification (e.g., RCE, privilege escalation)
-- **Affected components** — repository, branch, tag, or deployed service along with relevant file paths or endpoints
-- **Reproduction steps** — detailed, step-by-step instructions; include logs, screenshots, or screen recordings when helpful
-- **Proof-of-concept** — exploit details or code that demonstrates the impact (if available)
-- **Impact analysis** — severity assessment, potential exploitation scenarios, and any prerequisites or special configurations
-
-### Our Commitment
-
-- **Acknowledgement:** We aim to acknowledge your report within two business days.
-- **Communication:** We will keep you informed about triage results, remediation progress, and planned release timelines.
-- **Resolution:** Confirmed vulnerabilities will be prioritized based on severity and fixed as quickly as possible.
-- **Recognition:** We currently do not run a bug bounty program; any rewards or recognition are issued at CrewAI's discretion.
-
-### Coordinated Disclosure
-
-We ask that you allow us a reasonable window to investigate and remediate confirmed issues before any public disclosure. We will coordinate publication timelines with you whenever possible.
-
-### Safe Harbor
-
-We will not pursue or support legal action against individuals who, in good faith:
-
-- Follow this policy and refrain from violating any applicable laws
-- Avoid privacy violations, data destruction, or service disruption
-- Limit testing to systems in scope and respect rate limits and terms of service
-
-If you are unsure whether your testing is covered, please contact us at **security@crewai.com** before proceeding.
+- **Please do not** disclose vulnerabilities via public GitHub issues, pull requests,
+  or social media
+- Reports submitted via channels other than this Bugcrowd submission email will not be reviewed and will be dismissed