If nothing in particular has been specified by the maintainer, then the latest major version of this project is the one that security fixes will be targeted towards – unless there's a particular reason to instead solve it in a new major version.
If feasible and requested, then older major or minor releases could also be targeted by security fixes. This is decided on a case by case bases unless otherwise is specified by the maintainer.
The maintainer can give no guarantees in regards to the patching of security issues, unless that has been agreed on in a separate contract with the maintainer.
Communicate with the maintainer @voxpelli through [email protected] or other appropriate channel. Clearly convey the importance of the communication and that you are reporting a security issue, by eg. starting the subject line with SECURITY:
or similar.
The maintainer will get back to you as soon as possible and work with you to evaluate and handle the vulnerability.
As none of the maintainers of this module are paid to maintain these modules, no promises can be made in how fast a fix can be made or the quality of the fix.
A new version, preferably a patch version, that fixes the security vulnerability will be released as soon as feasibly possible and the reporting user, unless it wishes to stay anonymous, will be credited for their contribution.