For right now, vulnerabilities in the latest main branch are the only ones that we will fix. If you are reporting for an older version, you should make an argument for why we should backport fixes to it, and make a new patch release for said version.
To report a vulerability, contact a Pinc developer in private, at one of the following places:
Describe the vulnerability and how it can be exploited. From there, we can discuss how to go about resolving it.