docs: update SECURITY.md and CODE_OF_CONDUCT.md reporting channels

- SECURITY.md: require reporting to both GitHub Private Security Advisory
  and ASRC, remove email channel
- CODE_OF_CONDUCT.md: unify reporting to CNCF CoC Committee (conduct@cncf.io),
  add reference to CNCF Incident Resolution Procedures

Change-Id: I771880e9c488247f015dda4ecb0dac95be29fef1
Co-developed-by: Kiro <noreply@kiro.dev>
Signed-off-by: EndlessSeeker <1766508902@qq.com>

CODE_OF_CONDUCT.md

@@ -9,10 +9,12 @@ The text below is the project's adopted Code of Conduct, based on the
 substantively aligned with the CNCF Code of Conduct. Where any conflict exists,
 the CNCF Code of Conduct prevails.
 
-Instances of unacceptable behavior may be reported to the project maintainers
-at [higress@googlegroups.com](mailto:higress@googlegroups.com), or to the CNCF
-Code of Conduct Committee at
-[conduct@cncf.io](mailto:conduct@cncf.io).
+Instances of unacceptable behavior may be reported to the CNCF Code of
+Conduct Committee at [conduct@cncf.io](mailto:conduct@cncf.io). For more
+detailed instructions on how to submit a report, including how to submit a
+report anonymously, please see the CNCF
+[Incident Resolution Procedures](https://github.com/cncf/foundation/blob/main/code-of-conduct/coc-incident-resolution-procedures.md).
+You can expect a response within three business days.
 
 ---
 
@@ -73,7 +75,8 @@ further defined and clarified by project maintainers.
 ## Enforcement
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at higress@googlegroups.com. All
+reported by contacting the CNCF Code of Conduct Committee at
+[conduct@cncf.io](mailto:conduct@cncf.io). All
 complaints will be reviewed and investigated and will result in a response that
 is deemed necessary and appropriate to the circumstances. The project team is
 obligated to maintain confidentiality with regard to the reporter of an incident.

SECURITY.md

@@ -17,17 +17,12 @@ your contributions.
 **Please do NOT report security vulnerabilities through public GitHub issues,
 discussions, or pull requests.**
 
-Instead, please report them through one of the following private channels
-(choose either one):
+Instead, please report them through **both** of the following private channels:
 
-- **GitHub Private Security Advisory**:
-  <https://github.com/higress-group/higress/security/advisories/new>
-- **Email**: [higress@googlegroups.com](mailto:higress@googlegroups.com)
-
-In addition, we recommend also reporting the vulnerability to the
-[Alibaba Security Response Center (ASRC)](https://security.alibaba.com/),
-as Higress is widely deployed on Alibaba Cloud infrastructure. Reporting to
-ASRC helps ensure timely patching for cloud-hosted deployments.
+1. **GitHub Private Security Advisory**:
+   <https://github.com/higress-group/higress/security/advisories/new>
+2. **Alibaba Security Response Center (ASRC)**:
+   <https://security.alibaba.com/>
 
 Please include as much of the following information as possible to help us
 triage and address the issue:
@@ -59,8 +54,8 @@ keep you informed of our progress throughout the process.
 ## Security Response Team
 
 The Higress security response is handled by the project maintainers listed in
-[`MAINTAINERS.md`](./MAINTAINERS.md). Security reports sent to
-higress@googlegroups.com are received by all current maintainers.
+[`MAINTAINERS.md`](./MAINTAINERS.md). Security reports submitted via GitHub
+Private Security Advisory are visible to all current maintainers.
 
 ## Disclosure Policy