I have found a security issue, is there a way to disclose this so that a mitigation can directly be offered, or should I just make a Pull Request?