The project supports security releases for the current minor release series and the previous minor release series, i.e. v1.X and v1.X-1. Example: if the current release series is v1.5, security fixes will be supported for both the v1.4 and v1.5 series.
If you've found a vulnerability or a potential vulnerability in SPIRE please let us know at security@spiffe.io. We'll send a confirmation email to acknowledge your report, and we'll send an additional email when we've identified the issue positively or negatively.