Depends on the protocol the security flaw is with, but RFC 2142 would indicate that if it's a Web issue, then webmaster@example.com - sadly people don't pay attention to many standards like this anymore, though, because they'd rather the Internet be broken.
If you found a flaw on site example.com, where would you look first for a security contact?