There is no separate process for handling security vulnerabilities in FINAL CUT. Security vulnerabilities are fixed and published like all other bugs. Nevertheless, from the moment they are brought to our attention, we try to close them as soon as possible.
Preferably report a vulnerability via email to "guru.mail" + "@" + "muenster.de" or open an issue in the GitHub repository, the latter meaning that you made the vulnerability public before it was fixed.
If you already have a solution for the security problem, please submit a pull request.