Until Trillium reaches 1.0, only the most recent release will be certainly be supported for security updates, but an effort will be made to backport critical patches when possible.
To report a vulnerability, email hi@jbr.me and/or contact me on signal.
Feel free to draft a GitHub Security Advisory in addition to the above.
Important
Please do not exclusively file a GitHub security advisory without also reaching out on another channel. GitHub's notifications for draft security advisories are inadequate and too easily missed.