Only the latest version is supported. If a security bug is found, a new version will be released as quickly as possible. If there's too much work remaining in the pipeline for the next version, a patch will be released (for example, 0.3.1 -> 0.3.2 while the next version will be 0.3.3).

Either fill an issue on GitHub if you believe the issue can be public. If you prefer to keep it quiet, use the contact form here. You should get a reply quickly (from a few hours for up to 48 hours).

If the vulnerability is accepted, it will be patched as soon as possible and a new release will be made if it is present in the latest release. You will be credited in the changelog.

If the vulnerability is declined, you'll get an explanation of why.