The Asterisk project maintains a documentation page of releases. Each version is listed with its release date, security fix only date, and end of life date. Consult this wiki page to see if the version of Asterisk you are reporting a security vulnerability against is still supported.
To report a vulnerability use the "Report a vulnerability" button under the "Security" tab of this project.