At the time of authoring this security policy, we will only support the master branch for the time being. Sorry for any inconvenience this may cause.
To report a vulnerability, simply create an issue or a pull request.
If the vulnerability is serious, we will try to fix it within a week or a few days. If it's not that serious, we'll try to cover it in a month or so cycle.
We may comment and decline the security vulnerability through discussion and mutual agreement with you if it's found to be not worth the effort.
That being said we appreciate any messages about potential threats because you never know if they could be bigger than you think.