We should think through how we would like to handle security-sensitive bugs in wgpu. From @dveditz:

The first thing is for the wgpu folks to agree on where they would like security bugs to be reported. Having them reported as public issues isn't great. For many Mozilla projects on github (for example, mobile Firefox) we told people to report security bugs in BMO (bugzilla.mozilla.org).

That's probably not going to fly for an independent project, so the repo (or maybe at the top-level "gfx-rs" org level) needs to enable GitHub "security advisories".

You can see the TC39 policy here: https://github.com/tc39/ecma262/security/

They put the same security.md in every repo, but they all refer to 3 specific security/advisory reporting locations: in the ecma262 and ecma402 repos, and a catchall for everything else

... and some group of maintainers will need permissions to see any submitted issues, and have regularly checking for new ones on their ToDo list.

I would have preferred a direct link to BMO, but email is OK: https://github.com/mozilla-mobile/firefox-android/security