To report a security vulnerability, please email openssh@openssh.com, unless it is a problem specific to J-HPN-SSH - in that case, please email trnsz@pobox.com.