This may differ for some projects (noted in their README.md file), but this is how most of them work.

We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.

Do not submit an issue or pull request: this might reveal the vulnerability.

Instead, you should contact a developer via our discord server (in a support ticket or DM) https://discord.gg/lilith

We will deal with the vulnerability privately and submit a patch as soon as possible.

You can also submit your vulnerability report to huntr.dev and see if you can get a bounty reward.