And also an exception for reporting security-related issues. Because if you try and charge people money to responsibly report security vulnerabilities, then they'll just end up taking the full disclosure approach, which is probably not what you want.

Oh, definitely. CVEs have a special place to be reported in GitHub.

PSA: Do NOT use the issue tracker to report a CVE. That makes everyone's life difficult. Go through the correct channel.