This is an excellent question. I think it depends on where the vulnerabilities are. For example, it it’s in your own code (like not using a specific NPM package, or using a new version, or something like), then it should be fine.
However, if it’s found a vulnerability in a part of the codebase that is not managed by you (i.e. that is native to the JourneyApps platform) then you should rather send that through to us on support@journeyapps.com.
I hope this makes sense