Due to resource limitations, only the latest stable minor release is getting bugfixes (including security ones).
So e.g. if the latest stable version is 6.1.3, then 6.1.x line will still get security fixes but older versions (like 6.0.x) won't get any fixes.
Description above is a general rule and may be altered on case by case basis.
You can report low severity vulnerabilities as GitHub issues.
More severe vulnerabilities should be reported to email extractus.security@skiff.com.