honestly this situation is quite common to cyber security and disclosure of vulnerabilities / problems that need fixing. rfc9116 (security.txt) is pretty useless; most of the time just some email inbox to /dev/null

knowing back channels, having the 'village' mindset is much better