Since November 2020, I have been tracking security issues reported to the GNOME security team here. This was a good start, but most issues are reported directly to project maintainers, and are therefore not known to the security team. Since February, I have been attempting to comprehensively track security vulnerabilities found in GNOME. If you know of any CVEs or security issues that are missing from the list, which goes back to November 2020, please report them for inclusion on the tracking page here.
Please create the missing security.txt with the information and directions for reporting security issues.
/.well-known/security.txt is 404 and /security.txt silently redirects to the home page where the term “security” cannot be found.
The footer link to Contact Us goes to the Foundation page where again the term “security” cannot be found.
GNOME Security has its own web site, though it appears to be just the one useful page: Reporting a security issue.
if you have a GNOME GitLab account, open a confidential issue against the corresponding module
In the second case, and only the second case, the maintainer (not the reporter, if at all possible) needs to notify the security team so they can track issues in flight.