Consider referencing disclosure-check to find a maintainer's preferred contact mechanism

[scovetta]

We have a (still) PoC tool called disclosure-check, intended to help finders locate the best way to privately contact a maintainer.

It looks through SECURITY.md, Security Insights, package metadata, inclusion in Tidelift, and everything else I could think of -- attempting to automate what a human would do when trying to find the right person/process to follow. It supports all of the major ecosystems (npm, pypi, debian, github, maven, etc.) and is available as a Python package.

If someone within the BEST WG would be interested in helping to maintain the project, we can definitely get it over the finish line.