In general, due to limited maintainer bandwidth, only the latest version of Tornado is supported with patch releases. Exceptions may be made depending on the severity of the bug and the feasibility of backporting a fix to older releases.
Tornado uses GitHub's security advisory functionality for private vulnerability reports. To make a private report, use the "Report a vulnerability" button on https://github.com/tornadoweb/tornado/security/advisories