Just report the issue honestly, don’t try to obfuscate, and don’t send a message to a security@ with something like “I found a security issue” with no details of any kind.
If it’s not a security@ and not specifically listed as a security point of contact it’s fair to ask if it’s the right location for a potentially security-sensitive issue and whether there’s a better one.
If it’s not a security@ and not specifically listed as a security point of contact it’s fair to ask if it’s the right location for a potentially security-sensitive issue and whether there’s a better one.