All development is done against the current head of the master branch, with a single train of releases being tagged from the master branch regularly and often. Bugfixes are not backported to old versions.

For BWIPP, most security bugs are "just bugs", so report them openly via the issue tracker.

If you determine that the issue is so serious as to place users' systems at grave risk then feel free to contact the author directly. But it is unlikely to result in coordinated disclosure: The ecosystem is too diverse with the code finding itself in many esoteric places.