GitHub has a mechanism for private disclosure of vulnerabilities to repository owners and authorized persons such as maintainers. The jqlang/jq repository now has this feature enabled.

See Privately Reporting a Security Vulnerability. Click on jqlang/jq's Security page and click on Report a vulnerability. This will notify the owners and maintainers. After submitting you'll get an option to start a private clone of jqlang/jq for collaboration with the maintainers.