Reporting security vulnerability

[Shuhao]

Hi,

I've discovered a medium level security vulnerability in XFCE and I'm 
not sure where I can safely report it. I don't see the option to mark 
the bug as confidential or as a security issue in Bugzilla.

The bug is very easy to exploit (however only if you have access to the 
machine, which makes it non-critical) and is able to bypass the lock 
screen. There is a workaround available but it is uncommonly done (imo). 
The bug should also be relatively easy to fix though I do not know 
enough of the XFCE codebase to tell.

Any pointers would be helpful.

Cheers,
Shuhao