for information I documented a template to be used for our security advisories on Github, in our security policy: XWiki Security Policy - XWiki
The most notable thing about this template is the “Attribution” section proposed by @MichaelHamann : the idea is to be a bit more specific than the Credits on a Github advisory, as the credits can be used both for someone who helped fixing an issue, than for someone who discovered the vulnerability. So the Attribution section is here to be specific on who did what. It doesn’t prevent using the Credits from Github advisories.
Also it should be an optional section: if the author of the advisory is also the person who discovered and fixed the vulnerability, there’s no real point of using that section.