In general, the FPP team only supports the "latest release". Any bug fixes are likely to only be done on the master branch and possibly ported to the single "latest" release branch. Users are strongly encourage to keep up to date with the latest releases of FPP whenever possible.
FPP is designed to be run as an "appliance" on a secured network and is not intended to be opened up to the entire internet. As such, security vulnerabilities, while important, are not consider super secret.
Security vulnerabilities should be reported via normal issues logged on GitHub. Fixes should be proposed using the normal Pull Request methods whenever possible.
For further discussions, a thread can be created in the FPP sub-forum at: https://falconchristmas.com/forum/index.php/board,8.0.html
Vulnerabilities reported any other way will likely be ignored by the developers.