For security issues, contact the core team at firstname.lastname@example.org. We expect security researchers to follow responsible disclosure guidelines — just disclose any vulnerabilities you find directly to us first, and give us a reasonable period to assess and fix the situation.
In return, we will work directly with you to fix any problems, provide additional analytics as appropriate, and help write up any needed report. We will also publicly thank and credit you for the disclosure. You are of course free, with our blessing and support, to disclose the issue publicly after we have fixed it and announced it to our users.
Please do not publicly disclose vulnerabilities in our systems, or do any intrusive or destructive tests, without first talking to us about it. If a potentially destructive test is required (such as an SQL injection that might change a database), we will work together to do so on a test system so that it does not negatively affect our users.
Our source code is on GitHub. Please note that all of our code is AGPL licensed and jointly owned by the Make Your Laws group (other than code from a third party library or that is released under another license).