Github recommends to create a SECURITY.md file containing security policies for the project. I've also enabled in-project vulnerability reporting, and linked to it in this file.