All, FYI:

GitHub now supports private reporting of security vulnerabilities to projects!
This is a big deal. Details here:
https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability

Note that projects must *individually* enable this functionality, but it's easy to do
(see that page).

GitHub currently considers this "beta" functionality. That said, I've already
enabled it for the OpenSSF Best Practices badge project.

Once there's more experience with it, I think we should be encouraging people to enable it
for projects on GitHub, and I think the OpenSSF Vulnerability Disclosure guidance should
recommend it for GitHub-hosted projects (with email as an alternative if they don't want to).
That assumes that it works well-enough, so I'd love to hear if it seems to be working
adequately well.

Thanks.

--- David A. Wheeler