To report a security issue, please use the Google Vulnerability Reward Program (VRP). We use the VRP for our intake, and do coordination and disclosure here on GitHub (including using GitHub Security Advisory). The Google Security Team will respond within 5 working days of your report on the VRP.