Although we strive to create the most secure products possible, we are not perfect. If you happen to find a security vulnerability in one of our services, we would appreciate letting us know and allowing us to respond before disclosing the issue publicly. We take security seriously, and we will try to review and reply to every legitimate security report personally within 24 hours.
We fully support one minor release behind the latest (i.e. if 3.12 is the latest release, we will support 3.11).
Depending on the severity of the vulnerability, we may port and release fixes for older, unsupported versions as well.
For responsible disclosure of security issues and to be eligible for our bug bounty program, please submit security issues via the HackerOne portal: https://hackerone.com/automattic