You can report security bugs through the Patchstack Vulnerability Disclosure Program. The Patchstack team helps validate, triage, and handle any security vulnerabilities. Report a security vulnerability here.
Do not report security issues on GitHub or the WordPress.org support forums. Thank you.