Security updates are released on an on-discovered and on-patched basis. Previous versions will likely not receive security patches due to the logistics of doing so, unless absolutely necessary.
In order to report a vulnerability, its best to do it here in the GitHub itself under the issues section, so it can be tracked. There isn't expected to be any major enough vulnerabilities that they would need to be privately disclosed. You will likely receive communication on the issue within the day/week.