Potential security code smells

Hi!
I'm building a linter to detect security vulnerabilities for puppet scripts. Our linter found some smells that might lead to vulnerabilities such as weak passwords and hard coded secrets. It would be important to get your feedback since you have more context on the application than we do. How can we discuss this in private? I didn't find any vulnerability disclosure guidelines.
Thanks!