GitHub has introduced security advisory where the project can state the workflow for reporting security vulnerabilities. It also seems to have ways for private forks and discussions on security issues before publishing an advisory. It is still in beta but I saw the tab on CPython repository.
My main objective was to redirect humans to the right locations and avoid duplicating what’s documented elsewhere but if it can be improved further this should be done