According to RFC6238 never send the QR code, recovery code, or other credentials over unsecured connections. Get protection against bruteforce and TOTP guessing. Use recommended key lengths, key storage options and algorithm (like hash-algorithm) according BSI-Guide.

I support fixing security issues on the following releases:

Do the following

• Check the issue-board if the vulnerability is allready known.
• Prepare a post describing the vulnerability, and the possible exploits.
• Get a fix/patch prepared (if you know how I could fix it).
• Prominently feature the problem in the release announcement.