Move security advisory drafting to www.drupal.org

Problem/Motivation

Security.Drupal.org will be replaced, not using Drupal. Security advisory drafting can move to www.drupal.org, where we have an advisory content type. This is currently used by security team members to copy/paste the advisory on release day. Instead, we can have maintainers do the drafting right on www.drupal.org, eliminating the copy/paste step, so everyone can focus on advisory content.

Remaining tasks

• Complete remaining prerequisites: 📌 Assign security advisory ID and creation date on publish Active , 📌 Replace security advisory credit fields Active
• Limit field access for publishing, is PSA, advisory ID, CVE ID to security team members at all times
• Add a URL field to keep track of the security issue, this will help provide options for crediting later. Should be filled by a query argument, letting the field widget be read-only. Field access control should allow no one to view, only accessible by looking at the edit form
• Once published, limit editing to security team members
• Before publishing, allow editing by security team members, and maintainers of the project
• Update documentation and any integrations
• Make sure validation before advisory creation first checks that the current user is a maintainer of the project filled from the URL query parameter, then check that the issue filled from the query parameter is an issue for the same project. Enumerating in-progress security issues should not be possible.