No issue here because NPM had already auto-rotated our keys for us! However, we may want to look into making it clearer for requestors how to file vulnerabilities securely, or for automating that process.
Ideas:
Find where it would be strategically useful to add reminders about emailing security@tcril.org instead of creating an issue
Add a Confluence page or blurbs with instructions on how to file issues securely
Discover how to file private GitHub Issues works and what the process should be for flagging those as private and then marking them as public later.
https://github.com/openedx/tcril-engineering/issues/674 was published to the public before its vulnerability was resolved.
No issue here because NPM had already auto-rotated our keys for us! However, we may want to look into making it clearer for requestors how to file vulnerabilities securely, or for automating that process.
Ideas: