Until we hit v1 the only security policy here is to have dependencies updated ASAP, but not on any schedule.

For now, follow the Contribution guide to create a Github ticket for the vulnerability