Pacemaker's 2.1 and 3.0 release series are actively developed and receive security fixes.
If you have a support contract with an operating system vendor such as Red Hat or SUSE, please submit potentially security-related reports via the vendor's usual method. Otherwise, please submit a report via:
https://github.com/ClusterLabs/pacemaker/security
See https://projects.clusterlabs.org/w/cluster_administration/cves/