Currently the last minor version v0.5.x is supported.
You can privately report a vulnerability following this procedure. Alternatively you can create a Github issue at https://github.com/ulikunitz/xz/issues.
In both cases expect a response in at least 7 days.
All security advisories for this project are published under github.com/ulikunitz/xz/security/advisories.