I don't think that a panic in a library not used outside a single application binary (no dependents on crates.io) deserves an advisory. There's no indications that this is used as a networked service (and if only the developers host it as a network service, it can be handled internally).
In other words, use binary-focused advisory systems like CVE and customer mailing lists for this (and perhaps not even that, it's just a user input panic).
I don't think that a panic in a library not used outside a single application binary (no dependents on crates.io) deserves an advisory. There's no indications that this is used as a networked service (and if only the developers host it as a network service, it can be handled internally).
In other words, use binary-focused advisory systems like CVE and customer mailing lists for this (and perhaps not even that, it's just a user input panic).