If you find a vulnerability, or evidence of one, please report it privately.
Vulnerabilities should be reported using GitHub's mechanism for privately reporting a vulnerability. Under the main repository's security tab, click "Report a vulnerability" to open the advisory form.
A member of the terraform-aws-github-runner team will triage the reported vulnerability and if the vulnerability is accepted a security advisory will be published and all further communication will be done via that security advisory.