The community has an on-going $500k Bug Bounty program through Immunefi. Please see their site for full details on the program, and what's in scope. All security vulnerabilities, even urgent ones, should be reported through Immunefi: https://immunefi.com/bounty/goldfinch/.

You can also reach out through the security[at]goldfinch.finance mailing list, but if you want to be recognized for the disclosure, you must submit through Immunefi.