Only code in src/ is within the scope of this security policy, as it's the only code shipped to the user.
For all other kinds of vulnerabilities - unless you can show that it could harm the user, simply open an issue or make a PR.
The only supported version is the most recent version. No LTS releases or similar are provided/supported.
If you find a vulnerability, mail me at: [email protected] You can expect an answer after not more than 72 hours.