How to report security issues?

I recently was working with some software based on the Vaadin framework, and I discovered a minor security issue, but one that coud be leveraged to gain additional information about the server’s internal state and does have a few possible matching CWE (Common Weakness Enumeration) identifiers.

I would like to contact some developers directly to see about confirming my interpetations of what I am seeing and, if my assessment is correct, to see about getting this fixed. I noticed that the question of how to report security issues was asked in the past, but I was not able to find an answer to it in a few minutes of searching. How do I go about that/who should I contact?