What is the protocol for discussing security vulnerabilities?

[Friendseeker]

Say an issue with potential security impact (e.g. Denial of Service) is identified, what is the protocol for discussing such issues?

[diegomura]

There isn't one @Friendseeker . What do you suggest?

[Friendseeker]

@diegomura Thanks for reply!

I wonder if we should follow Github's recommended protocol at https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability

Basically there's a setting called Private vulnerability reporting which can be enabled. Would also be ideal if the setting is enabled for jay-peg repo.