We hope that developers and users share not only validated attacks or vulnerabilities, but also concerns and general comments on security aspects of our software. This will help us improve our documentation and/or our softwares, and we will of course give you credit if we follow your advice.
Although the MIT License does not impose any restrictions on how you disclose security issues or attacks, we would appreciate if you do not immediately post them online or report them as issues at the public software repository or anywhere else (although we understand the urge!).
Instead we hope that you contact us and give us a chance to discuss the findings with you to make sure that we fully understand them. We may also be able to suggest additional targets that you, or we, could investigate.
Keep in mind that other people may be using our software or some modified version in real elections and they deserve a chance to update their systems or complete an election before you make your findings public.
That said, we have first hand experience with finding serious flaws and attacks, we understand the amount of work involved, and we have an academic mindset, so we will make sure that you get the credit you deserve. Exactly how depends on the importance of the contribution and what you want.
Bugs or issues which are not security critical should normally be reported in the issue system at the source code repository. However, if an issue is only a symptom of a larger problem, then we welcome an email where you outline your ideas and hope that you are open to discuss the matter to let us decide on what should be done.