The easiest way to report a security issue is through GitHub. See Privately reporting a security vulnerability for instructions.

The Ubuntu Security disclosure and embargo policy contains more information about what you can expect when you contact us and what we expect from you.

If you believe the issue is an upstream one you might also want to check the Mozilla policy