When a vulnerability is found, please DO NOT file a public issue. Instead, send an email to one of the core maintainers and await acknowledgement OR file a private security issue. Normally we expect to resolve the issue in 60 days. However should there be an exception the team will reach out for next steps.