Being a unit test frameework, AceUnit is meant to be a pure development tool. Its code is not intended to be shipped as part of an actual production system.

Therefore, at present, I believe that coordinated disclosure of security vulnerabilities is not required. If you find a security vulnerability, please treat it as a bug and disclose it via the Issue Tracker. If you believe that in your situation this is wrong and the disclosure should happen in private, please send an email to one of the authors.