Security vulnerabilities...

IF a security, or other, bug turns it in my software the bug reporting
procedure is simple: send an email to me, The email address is in the
README file if not elsewhere as well. Ideally send me a patch, way to
reproduce, or at least some indication the location of the bug. Hopefully
the fact I supply source makes the latter easier to do :-) Given a
non-stripped binary and core dump then typing bt in gdb would give me
quite a few clues a significant fraction of the time.
 
Given only stripped binaries then there is little I can tell M$ if windows
crashes, as it does regularly for lots of people---newer versions are
better than older ones but both still crash pm a regular basis, have
memory leaks, etc. Very few people report these because the circumstances
which trigger the bugs are obscure and it is "normal". M$ has done nothing
to fix them for ages. Some of these bugs are probably usable for security
exploits but nobody really has any clues until some back hat demonstrates
them (or a white hat discovers them and reports them to M$ and security
mailing lists).
 
I would expect contacting one of primary developers, which is presumably
findable in a README file, would be an appropiate place to send a
security hole to so it can be closed. Finding a good vendor contact is
often a lot more difficult.