B.3 Reporting security vulnerabilities
If you've found a security vulnerability in PuTTY, you might well want to notify us using an encrypted communications channel, to avoid disclosing information about the vulnerability before a fixed release is available.
For this purpose, we provide a GPG key suitable for encryption: the Secure Contact Key. See section E.1 for details of this.
(Of course, vulnerabilities are also bugs, so please do include as much information as possible about them, the same way you would with any other bug report.)