Publish security policy (see PROJECT_SECURITY_REPORTING)

[Relequestual]

Publish security policy (see PROJECT_SECURITY_REPORTING)

[Relequestual]

GitHub has a private vulnerability reporting solution.
This is news to me: https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository
I'll ask the OpenJS Foundation if there's any reasons for NOT using this.

Given one of the approaches that's allowable is...

Vulnerability disclosure program, e.g. hosted on platform such as HackerOne or similar.

I would think what GitHub offer is appropriate.