Most gems don't have any set process/policy for handling security vulnerabilities. We should provide a basic template for them to use to make it easier for them to draft one and get it published.