There are no security specific releases of kitty. Security bugs are fixed and released just like all other bugs.
Preferably send an email to kovid at kovidgoyal.net or open an issue in the GitHub repository, though the latter means you are disclosing the vulnerability publicly before it can be fixed.