You needed to have a security contact on your website, or at least in the repo. You did not. You assumed security researchers would instead back out to your Github account's repository list, find the .github repository, and look for a security policy there. That's not a thing!

I'm really surprised you wrote this.

>I'm really surprised you wrote this.

I agree with the rest of your comment, but this seems like a weird little jab to add on for no particular reason. Am I misinterpreting?

No, there's some background context I'm not sharing, but it's not interesting. I didn't mean to be cryptic, but, obviously, I managed to be cryptic. I promise you're not missing anything.

The security policy that didn't exist until a few hours ago?

Added on March 18: https://github.com/TecharoHQ/.github/commits/main/SECURITY.m...

Copied to the root of the repo after the disclosure

ref: https://github.com/TecharoHQ/anubis/issues/1002#issuecomment...

Adding a security policy to an unrelated repository is easily missed and questionably applicable.

In a different repository, though. I think it's understandable that someone would miss it.