We follow the WordPress Core style of versioning rather than traditional SemVer. This means that a move from version 3.9 to 4.0 is no different from a move from version 3.8 to 3.9. When a PATCH version is released it represents a bug fix, or non-code, only change.

The latest version released is the only version that will receive security updates, generally as a PATCH release unless a security issue requires a functionality change in which requires a minor/major version bump.

For security reasons, the following are acceptable options for reporting all security issues.

1. Via Keybase secure message to timnolte or daggerhart.
2. Send a DM via the WordPress Slack to tnolte.
3. Via a private security advisory notice.

Please disclose responsibly and not via public GitHub Issues (which allows for exploiting issues in the wild before the patch is released).