main and the latest tagged release. Older tags get nothing.
Report privately through the repo Security tab, "Report a vulnerability" (GitHub private advisories). Not a public issue, PR, or IRC message.
Say which command or module, on which commit, how to reproduce it, and the impact you can actually show. Expect a reply in about a week.
Out of scope: the third-party APIs the bot calls, and a deployer's own setup
(exposed metrics port, weak admin password, a leaked config.ini).