Can we resolve this with the Nix community values? Security issues by definition need a coordinated fix to benefit everyone, which conflicts with (emphasis mine, from the section I linked):
We are a synthesis of varied but overlapping communities. We rely on distributed approaches: asynchronous communication, clear ownership, deep-dive taskforces, and local decisionmaking.
If ownership is unclear, it tends to make issues caused by asynchronous communication and different groups making different decisions worse. It’s a problem in engineering orgs as old as time, too, so it has a fix that’s equally tried and true: if there’s no agreement about where to publish the vuln first, then you just make something up and roll with it if everyone agrees. Publishing the Github vuln announcement seems like a solid “it goes here first” step. 