Remove "security" as a type and add a "cve" attribute

[rgoers]

"security" is a poor choice to have as a type as it is almost always also a bug that needs to be fixed. However, for bug fixes that are security issues it would be useful to include the "bug id" (i.e. - the CVE number) for the issue. This would make it easier for users to locate the specific changes that corrected a specific issue.

[vy]

Fixed in 48a66f9. As discussed in the Slack channel, we agreed to use issues for CVEs, e.g., <issue id="CVE-2021-44228" url="https://www.cve.org/CVERecord?id=CVE-2021-44228">.