We strongly encourage you to report security vulnerabilities to our private security mailing list: [email protected] - first, before disclosing them in any public forums.
This is a private mailing list where only active maintainers of the project are allowed to be the members of the group and receive reported security vulnerabilities, and the issues are treated as top priority.