If you've found a vulnerability, please consider first if this vulnerability is due to code in oscar. Some vulnerabilities can be caused by improper django settings. If the vulnerability you found can be solved by changing any security setting in django, it is out of scope for oscar.
If you did find a vulnerability, we would very much appreciate it if you could report it privately at:
https://github.com/django-oscar/django-oscar/security/advisories
Thank you for caring!