Vulnerabilities in OpenStreetMap operated servers and services should be reported by email to security@openstreetmap.org.