Is there a vulnerability disclosure channel?

[BadTrasher]

I would like to ask, if the developer finds a vulnerability in sshj, will there be a specific security staff to confirm the feedback here? After the confirmation, if it is a vulnerability, will it be disclosed?