Canonical tracks and responds to vulnerabilities in:

• The most recent patch version of Craft Application.
• Any version of Craft Application that's included in a current release of a Canonical product.

To report a security issue, file a Private Security Report with a description of the issue, the steps you took to create the issue, affected versions, and, if known, mitigations for the issue.

The Ubuntu Security disclosure and embargo policy contains more information about what you can expect when you contact us and what we expect from you.