In the (still active) 0.X phase of the project only the latest stable minor release is getting bugfixes (including security ones).
So e.g. if the latest stable version is 0.42.3 and the latest beta version is 0.43.0-beta, then 0.42 line will still get security fixes but older versions (like 0.41.X) won't get any fixes.
Description above is a general rule and may be altered on case by case basis.
You can report low severity vulnerabilities as GitHub issues, more severe vulnerabilities should be reported to the email [email protected]