Only the latest major version will be supported. For example, if the issue lies in v4.1.2 and v5.2.3, and we are in v5.x.x, I would only make a security patch for v5.2.3.

Report a vulnerability via email to shadowmanguyyt [at] gmail [dot] com. You can expect an update within 1-3 days of the report. Depending on the severity of the vulnerability, there may not be an update at all. You will at least get a reply explaining the decision either way.