Vulnerability which is only present in a non-stable release

1. Grant the module maintainer access to the issue so they will know what is going on.
2. Post this as a comment on the issue (note that "NAME" in the bug report URL below needs to be replaced with the actual project name).

If the report was received via email, do the same things, but via email.

Thank you for reporting this issue.

Because the vulnerability affects a branch (or branches) of a project that does not have a "stable release", per https://www.drupal.org/security-advisory-policy there will be no Security Advisory issued in response to it.

However, it is still important for the vulnerability to be fixed, so I am granting the module maintainers access to this issue for their awareness.

Maintainers, you have two choices on how to proceed:

1. Work on the issue here, in private, OR
2. Close this issue and move it to the public issue queue by creating a critical bug report (https://www.drupal.org/node/add/project-issue/NAME?tags=Security%20improvements). If you choose this option, please leave a comment here with a link to the public issue.

Because the vulnerability does not affect a stable release, the security team will not be formally involved in helping to review or fix the issue.  However, the issue must be dealt with before making the module's first stable release (for example, "8.x-1.0").  If the issue is difficult to solve or is taking a long time to fix, it is appropriate to move it to the public issue queue to ensure that other developers are aware of the issue when evaluating the module and can help with fixing it.

We encourage you to get the module to a stable release (even if it has bugs or might have API revisions in the future) so future vulnerabilities can be handled in the security advisory process which is helpful to users of your project.

Thanks,
{your name} on behalf of the Drupal Security Team