Please report security issues privately through GitHub's "Report a vulnerability" flow rather than opening a public issue. You can expect an acknowledgement within 7 days.
Pre-1.0, only the latest released minor version receives fixes.
This is a template. When you build a real project from it, expand this policy to cover your project's actual threat surface, and treat any violation of a documented invariant as a security-class issue, not merely a bug: code that is documented to behave one way but does not is exactly the kind of surprise that becomes a vulnerability.