Security policy questions

[theodoreb]

The Drupal project is considering adding this library as one of our dependencies and so we're performing a standard stability review. We're looking into adopting this as a dev dependency of @drupal/once (corresponding Drupal core issue are #2402103 and #3199444). I'm aware that the package is minimally maintained so I appreciate the time taken to read this.

Since there isn't a policy at https://github.com/bublejs/buble/security I'm curious if you have any official policies documented somewhere regarding:

Security releases
For example, does more than one version receive security fixes, or only the current version? What would your policy on disclosure be? For example, would you ask users to report security issues privately, and publish the existence of the vulnerability only once a fix is available, for coordinated disclosure?
Release windows/cadence
For example, do they happen as necessary on any given day, or on a set schedule after a certain passage of time (e.g. once a month)? Looking at the version history I can probably make some assumptions, but would like to confirm.
Backwards compatibility guarantees
buble uses semver, so I assume the minor version promises not to break BC. Are there any guarantees that a given version will be supported for some period of time (an LTS version, for example)?

I know the project is not very active because it works well-enough (in my case anyway) so I appreciate any informations you can give us :) I posted a similar issue against rollup/rollup#3980. Thank you!