To report a security bug, submit details such as what the vulnerability is, what risks it may entail, and how to reproduce it via GitHub. I will try to respond and deal with the issue within 2 weeks. Disclosure policy is to disclose a vulnerability within 90 days of it being reported.