I don't think that's the right way for reporting security holes, otherwise the bug details might become publicly visible to anyone before a patch will be available, leading to 0-day exploitation.

Anyway, I've already shared the bug details with @Andrey Yasko via email.