The package supports one minor version release at a time, both for bug and security fixes. For example, if the most recent release is 0.2.1, then the 0.2.x release series is currently supported.
To report vulnerabilities, you can privately report a potential security issue via the GitHub security vulnerabilities feature. This can be done here:
https://github.com/Qiskit/qiskit-addon-mpf/security/advisories
Please do not open a public issue about a potential security vulnerability.
You can find more details on the security vulnerability feature in the GitHub documentation here: