1. Grant the module maintainer access to the issue so they will know what is going on
2. Post this as a comment on the issue
If the report was received via email, do the same things, but via email.
++++++++++++++++++++++++++++++++++++++++++++++
After careful review, this vulnerability can be fixed publicly as per http://drupal.org/security-advisory-policy because
* it requires the compromised account to have an advanced permission that already makes the site compromised
[OR]
* it affects a branch (or branches) of a project that does not have a "stable release"
* it is about a bug or feature request that is not a security vulnerability
Please file a critical bug report against http://drupal.org/node/add/project-issue/NAME?tags=Security%20improvements in the public issue queue. I'm granting access to this issue for the module maintainers so they are aware of it.
Thank you for reporting this issue to the Drupal security team.
Regards,
{your name} on behalf of the Drupal Security Team