Steward does not currently publish a private vulnerability-reporting channel. Do not put exploit details, secrets, tenant data, or sensitive environment data in a public issue.
Report security defects that can be described safely through the GitHub issue tracker. If a report requires confidential details, wait for the project to publish a private reporting path. This is a project limitation, not a request to disclose the details publicly.