While Crochet and Kate are in their experimental phase, only the latest experimental release is supported.

You can report a vulnerability from GitHub's Security Advisory tab (the "Report a vulnerability") button, or you can privately email the security group to discuss it. Either way you choose, a maintainer will get back to you to discuss the details and work towards a patch and public announcement for it.

Note that vulnerabilities in dependencies that Crochet and Kate use should rather be reported to the maintainers of those dependencies.