If you find a vulnerability in ca9 itself, report it privately through the repository security advisory flow or by contacting the maintainers through the project issue tracker without including exploit details in a public issue.