Report security bugs by emailing the maintainer at [email protected].

The maintainer will respond to your email as soon as he can, usually within 24 hours. If the vulnerability is accepted, a bugfix will be released to all actively maintained versions.

Depending on the severity, GitHub security advisory or roave/security-advisories can be used to inform users about the important bugfix release.