The maintainers of openHAB are usually only working on the main branch on code, i.e. on the next release, which is currently 4.1.0. As the currently officially supported versions are 4.0.x and 3.4.x, security patches will be considered for these, depending on their severity.

Please get in contact with the openHAB security response team by writing a message to security@openhab.org. Allow the team a few days time for a response. Note that everyone at openHAB is doing all work in the spare time and not being paid - nonetheless everybody will do the best to be responsive and reliable.

Please provide your GitHub handle in the communication as if the report is accepted, the security response team will draft an advisory on GitHub and all further communication with the reporter will happen there.