There are a few avenues I don't hear people talk much about using, which I think would be far more effective and appropriate, without the ethical issues of public disclosure (which I think is rarely ever justified). I'd strongly urge anyone to exhaust all these avenues before even considering the typical public disclosure of a flaw's vulnerabilities. I have a hard time thinking of ANY circumstance in which it would be ethical to publicize an unfixed flaw before there is clear evidence someone else is already exploiting it.
(IANAL)
I've known for many years that "comprise" (usually used as "comprised", "comprises", or "comprising" depending on context) means the same as "composed of", so that "comprised of" means "composed of of" which is ridiculous.
BUT, this has been so heavily misused for so long, and increasingly even in respectable publications that should know better and by otherwise skilled and educated writers, that I'm starting to give up. Not to the point of ever saying "comprised of" myself, but to the point of not bothering to correct anyone who does. These days, "composed of" is starting to become a rarity, as is "comprised" on its own, so I'm starting to see "comprised of" as the most commonly accepted usage. Not willingly, but I don't have much choice.
I've noticed several design suggestions in your code.