Any build that is upped to a release is a supported version and should not have any security bugs. Feel free to report for any of the current releases. If you find an issue in an older release that is already removed feel free to also report this in case of regression, I'd rather know we made a mistake at one point in time and avoid that for the future.
Reporting a vulnerability is best done via our Security page. This way all contributors are alerted and we can discuss the issue in private. It will help in making the fix available as soon as possible without endangering other users of the product.
We will publicly release any security report after the resolution, including all communications; if you would rather have only the bug report public, please let us know in the report.
We report any security notification via the Github notification and advisory system. Sponsors that are hosted will also receive a notification in case a major bug has been found.
This project is an open-source sponsorware effort, which makes it hard to create a monetary reward without breaking the bank very quickly. for critical level bugs, that cause RCE/API data leaks/etc I will award a 50 dollar reward. For other bugs, I potentially am able to reward with some swag such as an official CyberDrain T-shirt or hoodie :)