To report a security bug, submit details such as what the vulnerability is, what risks it may entail, and how to reproduce it via GitHub. The project maintainers will try to respond and deal with the issue within 2 weeks. Disclosure policy is to disclose a vulnerability within 90 days of it being reported.