Email [email protected] with links to any Proof of Concepts and explanation of the vulnerability. Please allow 24 hours after emailing to start publicizing the vulnerability (unless tehre is reason to believe it is actively being exploited). A GitHub issue should be opened immediately after the fix is published (or at least before the 24 hours is up) and any extra details for mitigation/detection/etc can be placed there.

While it's important to attempt to get a fix or mitigation out before it can be exploited, it's also a responsibility to notify users so that they can begin any necessary mitigations as soon as possible.