Security reports should never start out in the open. Please follow up directly with the team if you have a contact. If not you can always start with the information at https://docs.chocolatey.org/en-us/information/security to see instructions on how to provide the disclosure. Thank you!