Could the maintainers please create and publish a security.md with security policy that indicates the process for submitting vulnerabilities, tracking, and expectations for users of remediation of vulnerabilities?

Use this section to tell people about which versions of your project are currently being supported with security updates.

Use this section to tell people how to report a vulnerability.

Tell them where to go, how often they can expect to get an update on a reported vulnerability, what to expect if the vulnerability is accepted or declined, etc.