One thing I’ve heard desired from folks is the ability to default issues to private visible only by maintainers. This not only ensures that security issues aren’t public immediately but also removes the incentive for people to troll by opening issues. Then a maintainer can mark an issue as legit and it’ll be public. IMO this is a great way to approach it.