[forkerenok]

I thought they have accidentally "responsibly disclosed" the vulnerability directly into a public mailing list, but the attached pdf is dated >3 months ago.

So assume it's a bit of an inaccurate phrasing.

EDIT: nope, the email itself seeks disclosure coordination etc. So yeah, oops.

[karel-3d]

dnsmasq has no security contact

[marcusb]

Sure, but the author publishes their email address on the main dnsmasq page:

  Contact.
  There is a dnsmasq mailing list at http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss which should be the first location for queries, bugreports, suggestions etc. The list is mirrored, with a search facility, at https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk/. You can contact me at simon@thekelleys.org.uk.