Please see our guidelines for responsibly disclosing security vulnerabilities:
http://vulnerabilities.farm.bot/