While we definitely prefer that (new) maintainers address unresolved vulnerabilities as early as possible, we do not generally require that for new releases, with two exceptions:
* Plugins blocked from releasing because we identified a vulnerability introduced since the latest release. Look for "releaseblock" in RPU for examples.
* Unsuspending plugins. In terms of security, we consider that to be similar to new plugin hosting, so to restore publication, we ask that security issues (publicly known or not) be addressed first.
For anything else, the security warnings shown in Jenkins and on the plugins site will remain active even for new releases.
Some (few) plugins are actively maintained while not addressing previously announced security vulnerabilities. Administrators can make an informed decision on whether they want to install (or keep installed) such plugins.