nqiv is not curently considered a project where security is a critical consideration. Mundane crash conditions and bugs can be reported normally through the issue tracker or a pull request. Things that expose user data, enable malicious code execution (especially through the nqiv command format in cmd.h), or other concerns may be reported through GitHub's vulnerability reporting system.