For now, Perplexed is in very early pre-alpha development. This, however, does not mean that security isn't a core concern. If you find a vulnerability in Perplexed, you may report it through GitHub's vulnerability reporting. Normal responsible disclosure rules apply.
Security fixes take precedence over new features and non-security-related bugfixes.
If you find a vulnerability in any project Perplexed depends on, you are encouraged to report it upstream. If you would like to report it here as well, you may. Even if our upstream doesn't fix a vulnerability, we can fix it ourselves in our own fork.
We may wait before publishing a fix to an upstream vulnerability, to give them time to fix it theirselves. This is mainly to avoid putting their users at unnecessary risk by publicizing a vulnerability before they've had time to fix it. This will be decided on a case-by-case basis as a discussion between ourselves, the upstream developers, and the person/people who reported the vulnerability.