doc,meta: codify security release commit message

The release commit message for security releases have conventionally
started with the phrase `This is a security release.`. Codify this
as part of the release process so that the distribution indexer can
use this to detect and mark releases as security releases.

Fixes: nodejs/Release#437
Refs: #27612 (comment)
Refs: nodejs/nodejs-dist-indexer#9

PR-URL: #27643
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: Anto Aravinth <anto.aravinth.cse@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Rich Trott <rtrott@gmail.com>

Author: richardlau

doc/releases.md

@@ -345,6 +345,21 @@ Notable changes:
 * Copy the notable changes list here, reformatted for plain-text
 ```
 
+For security releases, begin the commit message with the phrase
+`This is a security release.` to allow the
+[distribution indexer](https://github.com/nodejs/nodejs-dist-indexer) to
+identify it as such:
+
+```txt
+YYYY-MM-DD, Version x.y.z (Release Type)
+
+This is a security release.
+
+Notable changes:
+
+* Copy the notable changes list here, reformatted for plain-text
+```
+
 ### 6. Propose Release on GitHub
 
 Push the release branch to `nodejs/node`, not to your own fork. This allows