Please DO NOT file a public issue, instead send your report privately to [email protected].
Security reports are greatly appreciated and we will publicly thank you for it, although we will keep your name confidential if you request it. We also like to send gifts—if you're into swag, make sure to let us know. We currently do not offer a paid security bug bounty program, but are not ruling it out in the future.