As of November 2019 (and until this document is updated), only the v3.0.0-beta tags of Strapi are supported for updates. Any previous versions are currently not supported and users are advised to use them "at their own risk".
Please report (suspected) security vulnerabilities to security@strapi.io or via the Strapi Slack.
When reporting a (suspected) security vulnerability via slack please reach out to any of the following Strapi employees directly:
@aureliengeorget@alexandre@lauriejim@soupette
You will receive a response from us within 72 hours. If the issue is confirmed, we will release a patch as soon as possible depending on complexity but historically within a few days.