Daffodil is open source, and we view any security vulnerability as a bug. This includes security vulnerabilities that pass through to Daffodil based on the Dependencies and Licenses we use.

See How to Report a Bug.