Hello, see Using the Security issue type in JIRA - #25 by vmassol for the full story 
In short, currently our practice is to use Bug + the security label (and a confidential level when not disclosed). See also https://dev.xwiki.org/xwiki/bin/view/Community/SecurityPolicy/ which mentions this.
Thx