I couldn't find any information regarding handling of incidents / security problems on this repository. As this is IMHO quite important for a web-framework it would be nice to have some sort of contact information (email + pgp preferred over proprietary chats) and information about how to proceed further, what steps are executed and how quickly responses can be expected.

Some proposals:

• Add a security policy via github. If a SECURITY.md file is found in the root of the repository, it is included in the About section.
• Add a section in the README on how to establish contacts regarding security considerations

There hasn't been any response from vibe.d maintainers yet, but if you have something to report, you can probably send a mail to the dlang security team (see https://dlang.org/security.html), they are most likely to get in touch with the vibe.d maintainers and get fixes in.