Indico uses the second part of the version number for major feature releases, ie. 3.1, 3.2, ...

Bugfixes are generally only released for the latest major version (e.g. 3.1.1 to fix bugs discovered in 3.1).

For security releases we usually follow the same schema. In exceptional cases where the previous version (e.g. 3.0) is still somewhat recent and thus widely used AND no suitable workarounds exist, we may also create a patch release for that version.

Please report it privately using GitHub's "Report a Vulnerability" option. In case you do not have a GitHub account, you can also email email indico-team@cern.ch.