OED welcomes input at any time. Having said that, security issues can be special as they could represent a risk to those using the OED software. Given this, OED suggests these avenues for reporting a security concern:

1. If the concern may represent a real risk to sites, you should report it to [email protected]. This email is regularly monitored and you should receive a response indicating your concern has been received by the project. Please provide the type of information that would be in an issue including what you are concerned about, where it is located in the code base (if possible), any links to security notices about this issue and any thoughts on how to address the issue. Additionally, you are welcome to indicate you would like us to publicly acknowledge you when an issue and/or pull request is created. If you would like this then please also provide your GitHub ID if you have one. We may delay doing this until a security patch is available for sites to install.
2. You can open an issue on our GitHub repository. The same information as requested in the previous item is appreciated. The major difference is that issues are usually public so anyone (including bad actors) can see the issue before the OED project can act.
3. You can create a draft security advisory by using the "Report a vulnerability" as the issue type on the OED issues on our GitHub repository. Since OED is not a package included in other software, this may be less applicable but still available. These are not public unless the project chooses to make them so.

If you have any questions, then feel free to contact us. We appreciate your efforts and interest in making OED the best possible software.