You can privately report a potential security issue via the GitHub security advisory feature. This can be done here:
https://github.com/IBM/cbomkit/security/advisories
Please do not open a public issue about a potential security vulnerability.
You can find more details on the security vulnerability feature in the GitHub documentation here: