Add security policy

How should security vulnerabilities be reported? Issues and pull requests are publicly visible. If there is a safer way to disclose information about vulnerabilities, can someone document that process and add it to the repo?

https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository