Report vulnerabilities immediately to the current project lead. If you don't know who that is you can always email the club president at [email protected]. Security updates should take place during the next sprint. Depending on the severity of the threat, it could be handled sooner or later.