Document how to report security vulnerabilities
While pointing out that Twitter was not the proper communication channel to report security vulnerabilities, I've not been able to locate a procedure on how security vulnerabilities should be reported.
I've see nothing on https://www.torproject.org/about/contact.html.en and asking StartPage for "host:www.torproject.org report security vulnerability" did not turn anything up.