See README's Security section for detailed description of internal security practices.

Use maintainer's email specified at https://paulmillr.com

It's preferred that you use PGP key from pgp proof (current is 697079DA6878B89B). Ensure the pgp proof page has maintainer's site/github specified.

You will get an update as soon as the email is read; a "Security vulnerability" phrase in email's title would help.