We encourage responsible disclosure practices for security vulnerabilities.
If you believe you've found a security-related bug, email Jakub Boukal instead of filing a ticket or posting to any public groups. We'll try to assess the problem and disclose it in a responsible way.