If someone finds a safety or security flaw in a model, they need a way to report it to the developer privately, with ~30 days advance notice before going public with it (see professional guidance below). Currently there is no mechanism to do this on Hugging Face, as all reports are public.
We need a way to submit reports to developers privately through the model card, ideally through an API.
This is the guidance from all organizations that govern coordinated flaw disclosure (either from CISA, CERT, or ACL’s new policy here: ACL Policy on Publication Ethics - Admin Wiki).