All nginx security issues should be reported to F5SIRT@f5.com or via one of the methods listed here. Patches are signed using one of the PGP public keys.