Report back in https://news.ycombinator.com/item?id=10628112
With private issues we can have people report security issues with issues instead of using email and then adding them to a different private repo.
http://corte.si/posts/hacks/github-browserstate/ "Add a mechanism that lets users report private bugs, visible only to the repo owners. There's just no excuse for the lack of a feature like this." => My proposal would be to have these issues visible to the author of the issue and all people with access to the repository. Basically they are hidden from guests. This is the same way that private repositories work.
We could consider also having internal issues that are visible to all people with an account on the server to make the issue visibility similar to repository visibility.