Update the What to Report section of the Security Policy (#1289)

Update the "What to Report" section of the Security Policy by:

- Removing the in-my-opinion currently unnecessary "threat model" string
- Organizing things alphabetically
- Adding more items
- Clarifying what the scopes represent

SECURITY.md

@@ -37,21 +37,31 @@ report the issue privately.
 [new github advisory]: https://github.com/ericcornelissen/shescape/security/advisories/new
 [[email protected]]: mailto:[email protected]?subject=SECURITY%20%28shescape%29
 
-### What to Report (Threat Model)
+### What to Report
+
+Consider if the issue you found really is a security concern. Below you can find
+guidelines for what is and isn't considered a security issue. Any issue that
+does not fall into one of the listed categories should be reported based on your
+own judgement. If in doubt, report the issue privately.
+
+Any issue that is out of scope should still be reported, but can be reported
+publicly because it is not considered sensitive.
 
 #### In Scope
 
+- Insecure suggestions or snippets in the documentation.
 - Insufficient escaping for any supported shell.
-- Logic bugs with a security implication (e.g. unexpected throw) that can be
-  triggered through the public API.
+- Logic bugs with a security implication that can be triggered through the
+  public API.
 - Security misconfigurations in the continuous integration pipeline or software
   supply chain.
-- Insecure suggestions or snippets in the documentation.
 
 #### Out of Scope
 
-- Known vulnerabilities in third-party `dependencies` or `devDependencies`.
 - Bugs only affecting the `shescape/testing` module.
+- Insecure defaults or confusing API design.
+- Insufficient escaping for any unsupported shell.
+- Known vulnerabilities in third-party `dependencies` or `devDependencies`.
 
 ### What to Include in a Report