GitHub has introduced security advisory where the project can state the workflow for reporting security vulnerabilities. It also seems to have ways for private forks and discussions on security issues before publishing an advisory. It is still in beta but I saw the tab on CPython repository.
Doc : https://help.github.com/en/articles/about-maintainer-security-advisories
Sample doc for golang : https://github.com/golang/go/security/policy