Currently only snapshot versions are available. Any vulnerability should be mitigated in a next snapshot version.
Report vulnerabilities to Sander in private, mentioning the project name in the mail subject header. Indicate if and how you want to be identified when publishing about the vulnerability. Expect to get a response within 7 days, but usually within 48 hours, indicating whether the report is accepted. I make my best effort to share fixes for vulnerabilities and publish about the reports when appropriate.