List security contacts

We still don't have a security@ alias; listing personal emails is
unfortunately the next-best thing.

doc/bugs.mdwn

@@ -3,6 +3,10 @@ elsewhere. Link items to [[bugs/done]] when done.
 
 Also see the [Debian bugs](http://bugs.debian.org/ikiwiki).
 
+If you are reporting a security vulnerability, please email the maintainers
+privately, instead of making it public by listing it here. See [[security]]
+for contact details.
+
 There are [[!pagecount pages="bugs/* and !bugs/done and !bugs/discussion and 
 !link(patch) and !link(bugs/done) and !bugs/*/*"
 feedpages="created_after(bugs/no_commit_mails_for_new_pages)"]] "open" bugs:

doc/security.mdwn

@@ -1,11 +1,16 @@
-Let's do an ikiwiki security analysis.
-
 If you are using ikiwiki to render pages that only you can edit, do not
 generate any wrappers, and do not use the cgi, then there are no more
 security issues with this program than with cat(1). If, however, you let
 others edit pages in your wiki, then some possible security issues do need
 to be kept in mind.
 
+If you find a new security vulnerability, please email the maintainers
+privately instead of listing it in a public bug tracker, so that we can
+arrange for coordinated disclosure when a fix is available. The maintainers
+are [[Joey Hess|joey]] (<joey@kitenet.net>),
+[[Simon McVittie|smcv]] (<smcv@debian.org>)
+and [[Amitai Schleier|schmonz]] (`schmonz-web-ikiwiki schmonz com`).
+
 [[!toc levels=2]]
 
 ----