There is currently no way to report any kind of vulnerability. With a security policy this project could tell researchers ways to report vulnerabilities.

Typically vulnerabilities have been reported inside Brax.me itself in the Brax.Me Bugs Community Chat.

But Github is fine too.

But Github is fine too.

is there a way for responsible disclosure?

Vulnerabilities; well, the Security section provided by this platform is there for a reason; it is dedicated to any report of this order.