If you discover a security issue please create an issue stating you've discovered a security issue but don't divulge the issue, one of the maintainers will respond with an email address you can send the details to. Once the issue has been patched the details can be made public.