.github/SECURITY.md:3 tells reporters of vulnerabilities to file a public issue:
Report vulnerabilities by opening an issue at https://github.com/zerocracy/swarm-template/issues/new.
That channel publishes the report — title, body, reproduction, and any proof of concept — to anyone watching the repository, the GitHub global advisories feed, and search-engine crawlers, the moment the issue is created. The security policy is the one document whose entire purpose is to hold a vulnerability private until a fix ships, so routing it through public issues defeats the policy. Every swarm generated from this template inherits the same file and the same routing, multiplying the exposure across every downstream repository.
Fix: replace the public-issue instruction with the repository's private vulnerability reporting channel. Enable "Privately report a security vulnerability" under repository Settings -> Code security, then point .github/SECURITY.md at https://github.com/zerocracy/swarm-template/security/advisories/new (and rely on {{ env.GITHUB_REPOSITORY }} substitution when the same file is committed into the template's outputs). A short fallback email address is acceptable when private reporting is not available.
.github/SECURITY.md:3tells reporters of vulnerabilities to file a public issue:That channel publishes the report — title, body, reproduction, and any proof of concept — to anyone watching the repository, the GitHub global advisories feed, and search-engine crawlers, the moment the issue is created. The security policy is the one document whose entire purpose is to hold a vulnerability private until a fix ships, so routing it through public issues defeats the policy. Every swarm generated from this template inherits the same file and the same routing, multiplying the exposure across every downstream repository.
Fix: replace the public-issue instruction with the repository's private vulnerability reporting channel. Enable "Privately report a security vulnerability" under repository Settings -> Code security, then point
.github/SECURITY.mdathttps://github.com/zerocracy/swarm-template/security/advisories/new(and rely on{{ env.GITHUB_REPOSITORY }}substitution when the same file is committed into the template's outputs). A short fallback email address is acceptable when private reporting is not available.