You can privately report a vulnerability to us by sending a report to this private mailing list [mailto:openrefine-coredev@googlegroups.com](mailto:openrefine-coredev@googlegroups.com)
Our core team will try their best to fix any valid vulnerability that is reported to them.
Keep in mind that OpenRefine is designed to run locally on a users PC, while also making network calls across the internet only upon a users choice or command.
As such, certain vulnerabilities might not apply to OpenRefine's design.