Per the Linux Foundation Vulnerability Disclosure Policy, if you find a vulnerability in a project maintained by the OpenSSF, please report that directly to the project maintaining that code.
If you've been unable to find a way to report it, or have received no response after repeated attempts, please contact the OpenSSF security contact email, security @ openssf . org.
Thank you.