In addition to contacting the vendor, you can send it to security-s...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CH0PR00MB1415467D3D3A01B2AD3DADDC951DA%40CH0PR00MB1415.namprd00.prod.outlook.com.