See also code conventions; there are a few guidelines about security of added code there.
Security issues may be reported to core team members privately e.g. on Discord. Note that this applies only to security issues; everything else should still be posted to issue tracker.
Publicly posting security issues is also allowed, because not everyone has or wants a Discord account. We may add other channels for private reports in future.
Everyone with push access must use two-factor authentication for their GitHub accounts. Should their account still be compromised, other team members should be immediately notified.