https://www.mediawiki.org/wiki/Gerrit/Code_review#Security currently says
If in doubt, consider contacting the Wikimedia Security Team.
However mw:Wikimedia_Security_Team does not say how to contact the team. (Which might be fine, but in that case that sentence should get removed from mw:Gerrit/Code_review.)
Creating this task in case adding more explicit contact info is something to consider for the Security Team (feel free to decline).