Security related issues should go through responsible disclosure and it’s up to the maintainer to provide such a process or the recently flurry of “opportunistic whitehats” will continue to spam your issues and require triaging…
Github provides a process for this under the “Security” tab: https://github.com/ether/etherpad-lite/security as an example…
I find that by having a documented process it filters out a decent amount of time wasters.