Last stable version always provides security updates. There will be no security patches for other releases (tagged or not).

In the case of a security vulnerability report, we ask the reporter to send it directly to CIRCL, if possible encrypted with the following GnuPG key: CA57 2205 C002 4E06 BA70 BE89 EAAD CFFC 22BD 4CD5. We usually fix reported and confirmed security vulnerabilities in less than 48 hours, followed by a software release containing the fixes within the following days.