Private vulnerability reporting

Never expose security vulnerabilities in public issue trackers. Security issues require confidential handling to prevent exploitation before fixes are available. Use private reporting channels such as:

1. A dedicated security email address (e.g., security@project.org)
2. GitHub’s private vulnerability reporting feature

When implementing security reporting processes:

• Follow CNCF security templates for standardized procedures (https://github.com/cncf/tag-security/tree/main/project-resources)
• Create clear documentation on how to report vulnerabilities
• Establish a security response team with defined responsibilities

Example security.md section:

## Reporting a Vulnerability

Please DO NOT report security vulnerabilities through public GitHub issues.

Instead, please report them via:
- Our dedicated security email: security@project.org
- GitHub's private vulnerability reporting feature: [Project Security](https://github.com/organization/project/security/advisories/new)

Include as much information as possible about the vulnerability. The security team will respond acknowledging receipt of the report and outline the next steps in handling your submission.

This practice helps protect users while vulnerabilities are being addressed and follows security industry best practices.