This project will always provide security fixes for the latest two released versions. E.g. if the latest version is v0.28.x, then we will provide security fixes for both v0.28.x and v0.27.y, but no earlier versions.
In case you think to have found a security issue with libgit2, please do not open a public issue. Instead, you can report the issue to the private mailing list security@libgit2.com. We will acknowledge receipt of your message in at most three days and try to clarify further steps.