Thanks for taking the time to engage with the project! We believe in the concept of coordinated disclosure and currently expect a 60 day grace period for resolution of any outstanding issues.
You can report a security vulnerability in two ways:
If you have found an issue where you're not sure whether it is a "real security bug", please report it as a security bug. We can re-triage the issue as a regular issue if it turns out to not have security impacts.
We expect all reports to have been verified by a human before submission. Properly triaging and investigating all issues (not just security relevant) takes up time, and we are a volunteer-driven project.
We will endeavour to respond to your request as soon as possible.
We do not offer bounties, but acknowledgement will be made if you like.