If you think you have found a vulnerability in a specific configuration of the CVA6 you can report it using one of the following ways:
You can find more information about reporting and disclosure at the Eclipse Foundation Security page.
This project follows Eclipse Foundation Vulnerability Reporting Policy.