Please report security vulnerabilities by opening a new GitHub security advisory.
You can also send an email to security@scikit-learn.org, which is an alias to
a subset of the scikit-learn maintainers' team.
If the security vulnerability is accepted, a patch will be crafted privately in order to prepare a dedicated bugfix release as timely as possible (depending on the complexity of the fix).
In addition to the options above, you can also report security vulnerabilities to tidelift.