I think it would be a good idea to reveal how you discovered the security holes and what code needs to be changed. Please do so via reportbug. A patch from you would be a great bonus. If the vulnerability is very critical or needs to be kept secret for the meantime, please send a PM to the Debian security team (sending a PM to security is also possible via reportbug). Thanks.
DISCLAIMER: I am not from the Debian security team.
