Security issues specific to the VisIt code base itself have so far been rare.
The issue label, security is used to identify issues which manifest known security vulnerabilities.
Security issues, when discovered, follow the same process as any other bug fixes. Security issues are triaged and assessed for severity and likelihood. Work to correct security issues is then scheduled as appropriate.
Though the project has so far not encountered urgent security vulnerabilities, should any arise the project will use GitHub's security communication mechanisms to gather information.
In the event the VisIt user community requires notification of a potential urgent security vulnerability, our intention is to provide an update on or about the same time we use our normal communication mechanisms to alert users.
The supported version of VisIt is the latest release. The latest release of VisIt can be found on the releases page on the VisIt website.
Any security issues requiring immediate updates to VisIt will be made available, at best, only in the latest release but might also only be made available in the next planned release. A planned release of VisIt may be accelerated in order to address a security issue. On very rare occasions, the VisIt project may re-release an already released version solely to address a specific or severe issue.
Generally, any issues with security implications should be submitted through the project's GitHub security Report a vulnerability button.