We are an open source project with no corporate sponsor and no formal "support". In practice, we support the latest released version and work with OS vendors to make it easy for them to backport fixes for their distributed packages. For some security issues, we will issue a patch-release which has just a simple fix.
We also often have exim-VERSION+fixes
branches with small things which we
recommend that vendors use.
For postmasters installing Exim manually, we recommend always using the latest released tarball.
Our security page is at https://wiki.exim.org/EximSecurity. It contains the current contact point and list of PGP keys to use for encrypting particularly sensitive information. This also links to our documentation and the chapter on security considerations.
Our security release process is at https://wiki.exim.org/SecurityReleaseProcess. This covers what we do in handling vulnerability reports.
We have no bug bounty program of our own; we're far too disparate a group of volunteers for such things.