This is a volunteer-run project and is mostly creating images from existing Fedora CoreOS packages. If you've found an issue with something in one of these repositories you'd need to see if that package comes from CoreOS or from a third party resource and report the issue there. The images build every day and automatically slipstream the changes from CoreOS into the final image.
If the issue is with something you've found in CoreOS then checkout this information from the CoreOS security.md:
If you've found a security issue that you'd like to disclose confidentially please contact Red Hat's Product Security team. Details at https://access.redhat.com/security/team/contact
Most repositories are licensed under the Apache License, Version 2.0. Some components may be licensed differently - consult individual repositories for more.