Just create an issue that explains the vulnerability and shows where in the code it is.

Of course I will add your username into the credits section, as a thank you for finding a vulnerability.