If you want to provide additional info, like a link to your security policy, you can customize the pre-receive hook reject message, which is displayed to a (git) user when push / merge is being rejected. Use a dedicated option on a plugin configuration page:
The custom text you provide will be displayed as a header of reject banner, followed by list of detected vulnerabilities. It affects all repositories of your Bitbucket instance.
If you want to restore the default message, just set this option to an empty value.