Security issues are impossible by design AFAIK: there is no user data, nor real backends. But if you find one, open a security advisory. This ensures the app can be updated before making this public, allowing users to update in that moment.

The response time may vary depending on availability. If the issue is confirmed:

• If the vulnerability is confirmed (a user can be negativelly affected): will be solved as soon as possible, and the advisory and the upgrade will be made public at the same time.
• If the bug exists but no user can be affected, the issue will be made public and added to the normal TODO queue list.