The timeline mentions the disclosure was made through CISA, and on their website there is an official incident report form.
I can imagine an email to some generic email address could have gone down the way you describe, but I guess they look at these reports more professionally.
Proudly self-hosting Forgejo since then.