Any mechanism to notify the maintainer of security reports?

[cokeBeer]

Hi, recently I submited a security report to https://github.com/zeromicro/go-zero by security advisory function. The repository is actively maintained. However, it seems no one notice and handle my report for serveral days. Is there any mechanism to help reporters notify the maintainer to handle the security reports? Hopefully github team can do this.

[ljharb]

Maintainers do get those notifications, surfaced quite prominently, so that just means the maintainer hasn't responded to it yet.

[cokeBeer]

Delay a security report for 4 days without any response while commiting actively. Confusing.

[ljharb]

Given that that package is in an org, i believe only admins and security roles would see the notifications, and write-access maintainers would not, so that may be the disconnect.

[cokeBeer]

The admin maintains many projects and may have many notifactions a day..... Seems I'd better use a plain issue which may be seen.

[ljharb]

Perhaps a normal issue simply mentioning that a security report exists, without revealing any of the contents?

[cokeBeer]

Thanks. The maintainer team saw the normal issue I created.