For a full disclosure, create a GitHub issue.

For a coordinated disclosure, email golangmigrate@proton.me and then create a GitHub issue notifying the maintainers that there's a new vulnerability (without the details). We won't be checking that email address regularly so it's important to also create a GitHub issue to notify us.

Please suggest potential impact and urgency in your reports.