We use Github's Security advisories for reporting security vulnerabilities.
You can open a private report in the advisories section.
To learn more about this reporting checkout the Github docs.
Security vulnerabilities will be disclosed via release notes, issues and Github advisories with severity score higher than 4.0 will have an advisory published.