Please do not open GitHub issues or pull requests - this makes the problem immediately visible to everyone, including malicious actors. Security issues in HHVM can be safely reported via HHVM's Whitehat Bug Bounty program:
Facebook's security team will triage your report and determine whether or not is it eligible for a bounty under our program.