Only bugs present in the latest commit on a branch will be acted on (because all others have clearly been fixed). However, if there's a security bug in one of the GitHub releases, a security advisory will be added to release's description. And if it's the latest release, a new release will be made once the bug is fixed.

Create an issue for the vulnerability unless publicising the issue before it is fixed would put users at risk. In the case that creating a public GitHub issue is not sensible, contact me directly on Discord (stackotter#3100). If the bug does turn out to be serious after further investigation, it will be prioritised and fixed as soon as possible. If it's not serious, it will have the same priority as any other issue.