Reporting Security Bugs
Security issues are tracked in Red Hat's Bugzilla Instance which is common to all Red Hat and Fedora package maintainers. If you find a security issue (potential or verified) and need to report it against a package please follow the instructions for reporting bugs and feature requests. Security issues have an extra step or two that should be added as noted below.
Providing Proper Information
When entering a security bug in Bugzilla, it is important to ensure the information is accurate and clear. If the issue discovered is triggered by a bad file, please be sure to attach the file to the bug report. A testcase that can be reproduced is best so the security team can verify the issues exists, and to verify that the fix is complete. Additionally, if you know which bits of code are incorrect and are triggering the issue, this information will help speed the time needed to research the issue.
Once you have started your new ticket, but before you actually submit it, select Show Advanced Fields at the top of the page (just above Product). Now that all the possible fields are now shown scroll to the bottom and select Security Sensitive Bug (Check if this is a security related issue and should not be public). This does a couple of things including notifying Red Hat Product Security to the issue. With that setting selected you may now select Submit Bug. You'll be kept in the loop to any development of the issue you reported through this bug.