OK, so one option there (at least immediately) would be to email the Django Security Team (security at …). It may be a slight stretch of scope but happy to engage there.
Tom Christie is on those emails. We can always CC Andrew in too. (There are a couple of other folks in the ASGI realm that come to mind… — maybe a small CC list is enough to be going on with? 
)