GitHub sets up private vulnerability reports for public repos to avoid 'naming and shaming'