We notify https://groups.google.com/d/forum/jenkinsci-advisories and the archive is at https://jenkins.io/security/advisories/
Access to SECURITY issues is limited to the reporter, security team, and possibly assignee (typically plugin maintainer), for obvious reasons. Notably, for Active Choices, since it's just the mandatory dependency to Scriptler that suspended its distribution (unsatisfied dependency when installing from scratch), there's no SECURITY issue for it.
The unprecedented step to release an advisory without fix in place means that SECURITY issues may not be fixed (well, I closed them as there's no longer a need to track them privately…). Our process doesn't really support that, so public JENKINS issues corresponding to specific private SECURITY issues mentioned in the advisory is actually a good idea IMO. Having a single issue for completely unrelated plugins is less of a good idea – who owns it?
In this case, there's also https://wiki.jenkins-ci.org/display/JENKINS/Script+Security+Support+in+Plugins tracking fix progress that can be subscribed to. Notably, for Active Choices (again), the issue is the Scriptler dependency, not anything wrong with the plugin itself.