Per the Linux Foundation Vulnerability Disclosure Policy, if you find a vulnerability in a project maintained by the Open Source Security Foundation (OpenSSF), please report that directly to the project maintaining that code, preferably using GitHub's Private Vulnerability Reporting.
If you've been unable to find a way to report it, or have received no response after repeated attempts, please contact the OpenSSF security contact email, [email protected].
Thank you.