Only the latest and main branches will get any security issues fixed. If you use a specific tag, I won't push any fixes for it - you're more than welcome to file an issue for any functionality you want from an old tag that no longer exists.

Vulnerabilities should be reported just like any other issue. I'll do my best to fix things in a timely fashion, but no promises. If something is urgent you can open a pull request for it and it will likely take me less time to go over it and merge it.