To ease adoption of Brotli in projects with formal new dependency policies like Envoy it would be beneficial to have an explicit security policy in SECURITY.md with contact details and reporting/disclosure process.
Lack of a policy implies security bugs are open zero days