The Decred project runs a bug bounty program which is approved by the stakeholders and is funded by the Decred treasury.
Please refer to the bounty website to understand the scope and how to submit a vulnerability.
All bugs must be reproducible in the latest production release or the master branch of the code.