If you have found a vulnerability in software that I've developed or in one of my websites, please contact me as soon as possible using the resources you'll find at https://www.avm99963.com/.well-known/security.txt. In particular, please encrypt your message using my public PGP key.
I ask you to please keep the vulnerability information private between us until the vulnerability has been fixed. As I want to hold myself to the same standards I hold others when I report vulnerabilities to them, I accept that the vulnerability details may be published 90 days after I receive your report, even if I don't fix the vulnerability.
I believe vulnerability details should always become public because everyone have the right to know about them and protect against them, although if there isn't evidence that a vulnerability is being actively exploited, in my opnion it's better to keep them private until either the vulnerability is fixed and the fix widely distributed, or the deadline has elapsed.