The project should include a SECURITY.md file to point people towards the right place to submit potential security vulnerabilities responsibly.

This can be done at https://hackerone.com/wordpress?type=team, the HackerOne account for the entire WordPress project.

We already have a piece of documentation here: https://make.wordpress.org/cli/handbook/contributions/contributing/#reporting-security-issues

However, a separate SECURITY.md file would be much more visible and obvious.