Magento values the contributions of the security research community, and we look forward to working with you to minimize risk to Magento merchants.
We strongly encourage you to report all security issues privately via our bug bounty program.  Please provide us with relevant technical details and repro steps to expedite our investigation.  If you prefer not to use HackerOne, email us directly at [email protected] with details and repro steps.
To learn more about securing a Magento store, please visit the Security Center.