We use GitHub's security advisory workflow. To report a new vulnerability click here. These reports are private and only readable for project admins.