Security Policy Vulnerabilities can be reported privately by using the Security Advisory feature of GitHub.