This is an open source project that is provided as-is without warranty or liability. As such no supportability commitment. The maintainers will do the best they can to address any report promptly and responsibly.
Please use the "Private vulnerability reporting" feature in the GitHub repository (under the "Security" tab).