This project is covered by the Drupal security advisory process, which is facilitated by the Drupal Security Team.
To report a security vulnerability, follow the process for reporting a Drupal Security issue.
Do not disclose the nature of the vulnerability in public. The Drupal Security Team will publish an advisory and issue a CVE once a fix is available.