The Hyperledger policy for reporting and handling security bugs can be found in the Hyperledger Defect Response wiki page. Details specific to this repository are documented below.
The latest release version is supported with security updates. To address any security vulnerabilities found in previous releases, you should update to the latest release.
Suspected security vulnerabilities in this project can be reported using the repository's security advisories page. Guidance can be found in the GitHub documentation on privately reporting a security vulnerability. The maintainers will work with you to confirm the vulnerability, deliver a fix, and then release a security bulletin.
Dependencies are regularly scanned for published security vulnerabilities, and these are addressed as soon as practical. In general it should not be necessary to report vulnerabilities in project dependencies.