Please report vulnerabilities via HackerOne. I will respond as soon as possible.
If you identify a valid security issue, then your name and HackerOne account will be credited in the GitHub release that resolves the vulnerability you reported and in the Acknowledgements section of the website.