Security related issues should go through responsible disclosure and it's up to the maintainer to provide such a process or the recently flurry of "opportunistic whitehats" will continue to spam your issues and require triaging..
Github provides a process for this under the "Security" tab: https://github.com/ether/etherpad-lite/security as an example..
I find that by having a documented process it filters out a decent amount of time wasters.
Google ran a huge push to get these into schools too.. There was a LOT of pressure on Schools to adopt from various partners (or at least that happened in the UK)...
Google is aware of the Microsoft gains from getting people used to their products at a young age...