Add "Flow Rewards" section to Atree Security Policy

SECURITY.md

@@ -14,8 +14,16 @@ Additionally, please include the following in the security report:
 
 - the name and version of the AI, scanner, etc. that detected the issue (this can help us handle reports generated by buggy tools more efficiently)
 
-- list of affected architectures (Atree is only officially supported on 64-bit)
+- list of affected platforms (Atree is only officially supported on 64-bit architectures)
 
-- version of [Flow Emulator](https://github.com/onflow/flow-emulator) used to check the reported issue (issue might be prevented by Flow components that set or enforce limits on Atree)
+- list of changes to the source code of Flow components (generally, the vulnerability reproducer shouldn't require modifying Flow source code)
+
+- version of the unmodified [Flow Emulator](https://github.com/onflow/flow-emulator) used to check the reported issue (issue might be prevented by Flow components that set or enforce limits on Atree)
 
 Before submitting a security report, please review your source code included in the report. For example, please make sure the reported panic isn't caused by an overlooked mistake in the report's test code.
+
+# Flow Rewards
+
+Security reports that follow the guidelines and meet other conditions of the vulnerability disclosure program might qualify for Flow Protocol Rewards.
+
+Security reports should not evaluate Atree as a standalone component, because Atree relies on some limits and security guarantees provided by other components in Flow (such as `onflow/cadence` and `onflow/flow-go`).  Before submitting a report, please try to reproduce the vulnerability using a Cadence script running on unmodified flow-emulator.