If you find a security vulnerability in any of the libraries hosted in this project, file an issue. I don't believe in secret security advisories.
If you find a security vulnerability in a dependency of any of the libraries, I don't want to know about it unless it's remotely eploitable via the test harness. I am aware I am building against very old versions of .net. It is the responsibility of the final application to link against new enough versions of .net. The projects are designed to load against the newest.