Please DO NOT report security vulnerability using GitHub. Instead, please follow https://donjon.ledger.com/bounty/