The Drupal security team
If you come across an issue in Drupal core or in a contributed module that you think is a potential security risk for other users, there is a slightly different process. If there is a genuine vulnerability, it is best to report it privately to the Drupal security team who will work with the module maintainer to resolve it if necessary.
When a fix is available, a security notification is sent out explaining the vulnerability and the mitigating factors involved.
There is a special link to report a security issue on all module pages:
