To report a security issue, please email security@ubuntu.com with a description of the issue, the steps to take to reproduce the issue, affected versions, and, if known, mitigations for the issue. You can also report a bug to the Livepatch team on Launchpad. Launchpad provides the option to mark a bug as “Private Security”, to only disclose the bug to the security group. See this for more information on how to file a private security bug on Launchpad.
The Livepatch team will be notified of the issue and will work with you to determine whether the issue qualifies as a security issue. We will then handle figuring out a fix, getting a CVE assigned and coordinating the release of the fix.
The Ubuntu Security disclosure and embargo policy contains more information about what you can expect when you contact us and what we expect from you.