Hex package versions can be retired, security issues being one of the reasons for retirement. In this instance we did not retire Plug because all versions would need to be retired and the security reason was not severe enough to require a retirement of the released versions.
I think a separate tool or service for reporting any security vulnerabilities would be great, but it should not be part of elixir core or hex.
I wrote up a quick blog post on the vulnerabilities, which you can find here. It details the more “practical” method of achieving code execution in serialization functionality, as well as PoCs for anyone who wants to experiment with these locally.