Security vulnerabilities should be reported via an email to [email protected], which ia a private mailing list. Reported problems will be published after fixes are available.
The members of the mailing list are people who provide Noosfero (Noosfero committers, mainly).