Fixes to vulnerabilities result in the project issuing a new release with the fixes. We do not patch and release an updated version of a previous release. We will fix any vulnerability from any release if and only if the vulnerability still exists in the latest release.

One way to report is to add a Issue on the issues page for the project. Another is to email to libdwarf at linuxmail dot org

Normally we respond to a report within one day and provide fixes within a day or two. We can provide the new version of the affected source file as a diff or a copy of the fixed source file(s) when that seems appropriate.