As @ncoghlan mentioned, there aren’t many tools that tightly integrate with GitHub to allow private “pull request”-like UI, vulnerability-specific tooling (such as CVSS, CVE ID, and CVE-specific crediting), already hooked up to our existing GitHub teams and admin, and for no cost. I couldn’t find any alternative that met all those criteria.
I can certainly abstract this out so that PSRT is able to choose its tool based on where the projects are hosted and what is available there.