You can report security vulnerabilities in the most recent patch level of any SSVP version.
For instance, if v0.1.2 and v0.2.1 exist, and they are the highest patch levels, you can report for them; however, you could not report for v0.2.0 or for v0.1.1.
If the vulnerability is extremely minor (unlikely to actually affect anyone), you can file an Issue.
If it's a moderate vulnerability (could potentially affect people, but absolute secrecy isn't required), send an email to Amy.
If the vulnerability is critical, still send an email, but make sure it's
GPG/PGP encrypted.
Amy's PGP fingerprint is 7786034BD52149F51B0A2A14B1122F04E962DDC5 (expires 2025 July 19), and her keys are available from keys.openpgp.org.