The latest released version of core-js is supported.
To report a vulnerability please send an email with the details to zloirock@zloirock.ru. This will help us to assess the risk and start the necessary steps.
Thanks for helping to keep core-js secure!