Sorry to bother you directly like this, especially as you're the webmaster but may not be an actual LAME developer - but you're the only project member who publishes an email address on the website.
On 26th.July.2017 a (Chinese?) security researcher has published on the Full Disclosure security mailing list details of 3 bugs he discovered in LAME that appear to be no worse than denial-of-service (crash):
The bugs all have CVEs and appear to involve improper handling of malformed .wav files. The researcher gives no indication that he has contacted the LAME project about the problem.
I just wanted to make sure you folks know about this - please make sure the right people at your end are aware.