If the vulnerablitiy compromises important user data (Encrypted Conversations, full connection list to anyone, etc.) or is on similar/higher severity, report Security Advisory in the Github Security tab, otherwise create an issue. If the Vulnerability arises not due to the Specification, but due to a specific implementation, report it on that implementation.