Even if it's partly documented here: https://polaris.apache.org/community/contributing-guidelines/ we should provide a page on the website clearly documenting how to report security issue.