As IntelliJ always offers to update when a new version is available, only the last version is supported.
Pull requests for security issues with older versions are accepted, if that version is the last one supported by an older IntelliJ version.
To report a vulnerability, please create an issue: this ensures I receive a notification. Crash reports generated by the plugin don't cause notifications.
Security vulnerabilities will be fixed either quickly, or as soon as an upstream fix in a library is available.
On the off chance a security vulnerability does not apply, it'll be declined with an explanation why it doesn't apply.