All development is based done against the current head of the master branch, with releases being tagged periodically.
For BWIPP, most security bugs are "just bugs" so report them openly via the issue tracker.
If you determine that the issue is so serious as to place users' systems at grave risk then feel free to contact the author directly.