This is a volunteer-run project and is mostly creating images from existing Fedora packages. If you've found an issue with something in one of these repositories you'd need to see if that package comes from Fedora or from a third party resource and report the issue there. The images build every day and automatically slipstream the changes from Fedora into the final image.
If the issue is with something you've found in Fedora then checkout this information from the CoreOS security.md:
If you've found a security issue that you'd like to disclose confidentially please contact Red Hat's Product Security team. Details at https://access.redhat.com/security/team/contact
Most repositories are licensed under the Apache License, Version 2.0. Some components may be licensed differently - consult individual repositories for more.