>Clearly defined and discoverable process to report security issues. Should be a link to a section in the security docs, iirc.
Should be a link to a section in the security docs, iirc.