Contact the Apache Traffic Control Security Team and follow the guidelines on the Apache Software Foundation security page regarding vulnerability disclosure.