Security Policy Reporting a vulnerability: Create an issue with "Security" tag, or submit a PR with a fix (ideally with a test) and a description of the vulnerability.