Please consider using CVE identifies for security issues
Instead of vendor identifiers (e.g.
CIVI-SA-2019-24) please consider using standard CVE identifies for security issues.
Here is some reasoning from the Debian Security Team:
The good thing on having a CVE id for the vulnerabilities is helping other vendors to track the issues properly 'cross-vendor' in an unique way. If every upstream would use individual identifiers to track their vulnerabilities, this makes the work of downsteams security teams much harder. Nowdays MITRE has improved a lot on their processes on assigning CVEs, and good filled reports at https://cveform.mitre.org/ get fastly assigned a CVE respectively (this somehow depends though on how good the report is done). I know some upstreams did in past make frustrating experiations, and do not want to try that out again.
See also Debian Upstream Guide.