...
There are two ways to report a security bug. The easiest is to email a description of the flaw and any related information (e.g. reproduction steps, version) to security at lists dot hyperledger dot org.
For Fabric, you may use HackerOne.
...
Information may be shared with domain experts (e.g. colleagues at your employer) at the discretion of the project's security team providing that it is made clear that the information is not for public disclosure and that security at lists dot hyperledger dot org must be copied on any communication regarding the vulnerability.