It's important to consider the process of disclosing issues to us. Many bugs can be reported as usual on our issue tracker, but public forums are sometimes inappropriate for reporting security issues.
If you think you've discovered a security vulnerability, the best way to inform us is to send us an email to security [at] mirage.io. One of the team will respond and we will take it from there.
A OpenPGP key is available from the keyservers, its fingerprint is
23B2 822C 89A9 EC73 C7DF 0748 4A73 2D75 7C0E DA74.