where do you report port security vulnerabilities

Best place to start, in my opinion, is the port maintainer. Run make maintainer in the port directory and you'll see:

peter@macron:/usr/ports/ftp/wget# make maintainer
thanks people. I didn't want to spam a mailing list that may have already known about the problem, especially as this is the first time I've come across something that didn't appear to be already listed. I will start with the maintainer
ok thanks. I didn't know that. I've emailed the maintainer, if I don't get a response I'll email that address as well