I suggest creating a SECURITY.md file describing your security process for reporting any security vulnerabilities. I can be as simple as "Report the issue as an email to john.doe@example.com with subject of 'Potential security vulnerability in X'" or however complicated as you want, but you probably do NOT want to have people by default report it publicly via GitHub Issues since generally anyone can read those for a public repository.

I'm not claiming either of these are perfect approach, but just throwing them out there as an idea if you wish to copy or get some ideas for creating your own:

• https://github.com/ESAPI/esapi-java-legacy/blob/develop/SECURITY.md#reporting-a-vulnerability

or

• https://github.com/nahsra/antisamy/blob/main/SECURITY.md#reporting-a-vulnerability