To report security vulnerabilities, open a normal bug report in the calibre bug tracker and mark it private.