I feel there should be some process for reporting security-sensitive issues
in GHC -- for example, #9562 and #10826 in Trac. Perhaps something like the
SensitiveTicketsPlugin [3] could be used?

[1] https://ghc.haskell.org/trac/ghc/ticket/9562
[2] https://ghc.haskell.org/trac/ghc/ticket/10826
[3] https://trac-hacks.org/wiki/SensitiveTicketsPlugin