Our vulnerability disclosure policy is simple: Do not disclose serious vulnerabilities in public, unless they already have been - by ourselves or Dependabot.
You can always contact us directly on Discord. Feel free to send a private message to one of our admins there. We're happy to address any concerns you may have, and we'd love to hear from you if there's an issue that needs fixing.