Last stable version always provides security updates. There will be no security patches for other releases (tagged or not).
In the case of a security vulnerability report, we ask the reporter to send it directly to [email protected], if possible encrypted with the following GnuPG key: 55F5 D60E EFCA 3591 0089 18E7 A1CB 94DE 57B7 A70D. We usually fix reported and confirmed security vulnerabilities in less than 48 hours, followed by a software release containing the fixes within the following days.