Report all security vunerablites to Bugzilla Fenix::Security. If they are not a security bug you will be asked to move your report to Fenix GitHub. See the Mozilla Security Bug Bounty Program and the client security reporting pages for details. In any case where this document and the Mozilla.org pages differ the Mozilla.org pages are the official documentation.