The "Report a Bug" form here on phabricator (https://dev.gnupg.org/maniphest/task/edit/form/3/) has an "IMPORTANT" note that is ill-formed. It says:
please write to security 'at' gnupg.org to ask for advice and our encryption kes
That should at least be "keys" and not "kes" -- but if we want to provide keys, we should provide an automatic way to retrieve them (a link to a local file, something in the source code, etc) rather than hoping that a security reporter will invest in a multi-round-trip e-mail exchange to first get the keys and then send the notification.
please make it easy for bug reporters to do so securely!