From what I can tell we don't explain very well that we *don't* want security issues to be reported in public such as on this mailing list, the GitHub issue tracker, Twitter, IRC, etc.
Rather, please send anything security-related to sup...@dataverse.org
which will create a private ticket in the IQSS/HMDC ticket tracker at https://help.hmdc.harvard.edu
Let me see what I can do about documenting this properly (and perhaps setting up a dedicated email address). I'm looking at sites like the ones below but if anyone has a favorite writeup of how to report security vulnerabilities, please let us know: