Only the latest version is supported.
Running an older version? Upgrade already!
Send an email to microcosm-security@david.kitchen in the first instance.
If you get no response within a week, then posting a public issue is a good thing :)
This is a pure OSS project and any response is best effort. There is no bug bounty, and those who maintain the project may not (be able to|be motivated to|desire to) address the concern.
That said... we're users of our own software, so "we take security seriously" enough that we'll probably try and fix it, and would gladly receive any PRs that address the issue (without creating other unintended side effects).