doc: add request to hold off publicising sec releases

- We've often seen tweets go out early before announcement
  and other parts of the security release complete
- Make an explicit ask that collaborators avoid doing this
  by gating on the tweet from the Node.js account
- Releasers would still be free to tweet earlier as they know
  when the process is complete.

Signed-off-by: Michael Dawson <mdawson@devrus.com>

Author: mhdawson

doc/contributing/security-release-process.md

@@ -111,6 +111,7 @@ out a better way, forward the email you receive to
 `oss-security@lists.openwall.com` as a CC.
 
 * [ ] Create a new issue in [nodejs/tweet][]
+
   ```text
   Security release pre-alert:
 
@@ -123,6 +124,13 @@ out a better way, forward the email you receive to
   https://nodejs.org/en/blog/vulnerability/month-year-security-releases/
   ```
 
+  We specifically ask that collaborators other than the releasers and security
+  steward working on the security release do not tweet or publicise the release
+  until the tweet from the Node.js twitter handle goes out. We have often
+  seen tweets sent out before the release and associated announcements are
+  complete which may confuse those waiting for the release and also takes
+  away from the work the releasers have put into shipping the releases.
+
 * [ ] Request releaser(s) to start integrating the PRs to be released.
 
 * [ ] Notify [docker-node][] of upcoming security release date: _**LINK**_