Document how to report security vulnerabilities

While pointing out that Twitter was not the proper communication channel to report security vulnerabilities, I've not been able to locate a procedure on how security vulnerabilities should be reported.

I've see nothing on https://www.torproject.org/about/contact.html.en and asking StartPage for "host:www.torproject.org report security vulnerability" did not turn anything up.