I've looked through the CONTRIBUTING.md and haven't seen anything about how to disclose suspected vulnerabilities to the team.
A lot of OSS projects have a SECURITY.md file with a security@example.com email address or instructions on how to report suspected vulnerabilities in a less public way so that if it's legitimate a fix can be made before it's disclosed publicly (in the hopes of avoiding a scenario where an undiscovered issue is made public and then exploited in the wild before a fix can be shipped).
Apologies if there is a place to report these kinds of issues that I've missed, and also happy to just open a regular GitHub Issue for these kinds of bug reports if that is the protocol.
I've looked through the CONTRIBUTING.md and haven't seen anything about how to disclose suspected vulnerabilities to the team.
A lot of OSS projects have a SECURITY.md file with a security@example.com email address or instructions on how to report suspected vulnerabilities in a less public way so that if it's legitimate a fix can be made before it's disclosed publicly (in the hopes of avoiding a scenario where an undiscovered issue is made public and then exploited in the wild before a fix can be shipped).
Apologies if there is a place to report these kinds of issues that I've missed, and also happy to just open a regular GitHub Issue for these kinds of bug reports if that is the protocol.