If only there were a group being created to solve these coordination problems… a sort of driving taskforce… 
Edit to add: here was my proposed solution when this happened. Coordinate pushing it out on the GH security advisory as a first step, and do so with as few dependencies on the copy as possible so there’s little friction for people copy/pasting the notice.