This is a default security policy for repositories that don't specify their own.
If you want to securely report vulnerabilities to me, you can email me securely using GPG.
You can find my public key on my Keybase profile, and you can verify the details
if you wish on the contact page of my personal homepage. The key fingerprint
is A6B6 5DCE 2EB7 BEAE 9600 74E6 C58C 41E2 7B00 AD04
, send the emails to
sharparam@sharparam.com.
You can also simply create an issue about the vulnerability on the relevant repository, if you feel the vulnerability is not high-profile enough to warrant going through the hurdles of encrypted email (my repos are unlikely to need that kind of security anyway).
Nevertheless, the option is there!
I don't always keep close track of my emails and issues, but you should be able to get an initial response within a couple weeks.