Please open an issue on the repo. If you consider the vulnerability confidential, email tris at 0atman.com.