Where should security vulnerabilities be reported?

[JLLeitschuh]

I haven't found anything, but I noticed the lack of a security contact address on either the site or on the README.

Should the security@jetbrains.com address be used? If not, please provide an alternative address somewhere for researchers and white hats to offer security vulnerabilities.

[JLLeitschuh]

Additionally, where will security vulnerabilities be disclosed when they are found?
As a library offering a web framework developers need a quick way of determining if they need to update their apps because there are known security vulnerabilities with specific versions.

Here are some examples from other frameworks:

Framework	Page
Play Framework	https://www.playframework.com/security/vulnerability
Spring Framework	https://pivotal.io/security
Jetty	https://www.eclipse.org/jetty/documentation/9.4.x/security-reports.html
Tomcat	https://tomcat.apache.org/security-8.html

Usually these pages include a short writeup of the vulnerability and then include the version range that is vulnerable.