SECURITY-PROCESS: tweak a little to match current practices

Closes #7713

docs/SECURITY-PROCESS.md

@@ -62,19 +62,20 @@ announcement.
 - Request a CVE number from
   [HackerOne](https://docs.hackerone.com/programs/cve-requests.html)
 
-- Consider informing
-  [distros@openwall](https://oss-security.openwall.org/wiki/mailing-lists/distros)
-  to prepare them about the upcoming public security vulnerability
-  announcement - attach the advisory draft for information. Note that
-  'distros' won't accept an embargo longer than 14 days and they do not care
-  for Windows-specific flaws.
-
 - Update the "security advisory" with the CVE number.
 
 - The security team commits the fix in a private branch. The commit message
-  should ideally contain the CVE number. This fix is usually also distributed
-  to the 'distros' mailing list to allow them to use the fix prior to the
-  public announcement.
+  should ideally contain the CVE number.
+
+- The security team also decides on and delivers a monetary reward to the
+  reporter as per the bug-bounty polices.
+
+- No more than 10 days before release, inform
+  [distros@openwall](https://oss-security.openwall.org/wiki/mailing-lists/distros)
+  to prepare them about the upcoming public security vulnerability
+  announcement - attach the advisory draft for information with CVE and
+  current patch. 'distros' does not accept an embargo longer than 14 days and
+  they do not care for Windows-specific flaws.
 
 - No more than 48 hours before the release, the private branch is merged into
   the master branch and pushed. Once pushed, the information is accessible to