CYA & report all issues to said outside organization? Any bug where a feature doesn't work is a denial of service on that feature, and therefore a security issue. Lack of accessibility features is a DoS against people who need those features and thus a security issue, and so adding screenreader support is a security fix. Etc, etc.
If people knew about all the vulns in their software the vulns wouldn’t exist. You can’t disclose if you don’t know. And establishing when you “should” know or what counts as an actionable report will require basically a lawyer to untangle. CYA = hire a lawyer for your open source code. No thanks I think I’ll keep it on my drive and off GitHub.