Why? What's the danger here? Is the original maintainer going to send someone named Vinny to break your legs if you fork a project that won't accept a security patch you need?
I think you should just fork it privately, apply your patch, and move on with your life.
If you're keeping it private, none of this applies. I'm talking about "hey that project is bad, I am now maintaining a competing project, please use it instead."
Instead of framing it as "that project is objectively bad, my one is better", why not say "my project is a fork of this project but with a bit less unsafe" and then see what the community does?
Forking isn't provocative. Forking and then claiming your fork is objectively superior is.
What peril? Why is everyone treating online outrage mobs as if they had any power or authority? Who cares if some unimportant anonymous commentator thinks a fork is aggressive?
Agreed. But how do we define "people"? Are your prospective users all hanging out on Reddit and Twitter? Or are these two communities, as I believe, vocal but unrepresentative slices of a much larger potential silent user base?
Totally, I think that sometimes, forks do make sense! Sometimes, you have to be aggressive, and people will find it justified. io.js is a great example of this happening and working.
I wish that it wasn't perceived as such, but the reality is that it is. Ignore that at your own peril.