We take security very seriously. You can (and should) report vulnerabilities to code maintainers.
It depends. If the vulnerability is already present on the master branch (and thus, in prod), you should instead look at the next section.
But nothing stops you from opening an issue, this is what they are for, and why this project is open source. Try to prefix your issue with something like [SECURITY] Something bad....
You can try to personally contact one of the code maintainers (on Discord for example), open a new security advisory or contact us at [email protected] (with a mail marked as important and starting with [SECURITY ISSUE] Something bad...).