We do release patches for security vulnerabilities, but only for the latest version of the software. It is always recommended to keep your installations up to date to avoid problems and get the latest features.
Please report (suspected) security vulnerabilities to info@navigatecms.com or, if non-critical, just open an issue in GitHub. You should receive a response from us within 72 hours. If the issue is confirmed, we will release a patch as soon as possible depending on complexity but historically within a few days.
We do NOT have a bug bounty program. Our software is open source and at this time we do not have any resources to offer rewards. The only offering we could give is a mention to the discoverer of the vulnerability. Simply tell us how you want us to refer to you, for example Nickname, E-Mail and Website.