Hi everybody,
I think we never officially announced it: there's an email alias to post security issues to, at security@coreboot.org. Right now, it's maintained by Stefan and me, and when issues appear there we will share them with the affected maintainers for resolution.
Technically it's a mailing list (that a few folks tried to subscribe to), but that's mostly for convenience: it's not meant to be open for all due to the sensitive nature of things discussed there.
When dealing with an issue through that channel, we will make sure that there's disclosure afterwards - maybe delayed a bit to roll out fixes to users first, but otherwise as soon as possible. I won't commit to any timeline here simply because we lack experience with that (so far there hasn't been a report through that channel).
I also created a change to the homepage at https://review.coreboot.org/c/homepage/+/32689 to make that point of contact more visible.
Let's develop coreboot in a way that we won't need this alias very often :-)
Regards, Patrick