There are no security specific releases of kitty. Security bugs are fixed and released just like all other bugs.

Preferably send an email to kovid at kovidgoyal.net or open a private security advisory using the GitHub security advisory facility.

Note that I will generally respond to security communication within 72 hours. Once the bug is confirmed, it will be fixed or at least mitigated within another 72 hours, at which time the fix will typically be committed to master and hence be public. That timeline might be extended based on the severity of the issue and the current state of master in terms of making a new release, if so, it will be done in consultation with the issue reporter.