Please report security vulnerabilities by email to one of the maintainers, with Subject containing app_ecosystem_v2 substring. If there was no reply in 24 hours, then create an Issue, without technical details, to inform about previously sent mail.