AsyncSSH has only one active development branch at this time. Any bug or vulnerability fixes will be fixed in the "develop" branch first and then migrated to the "master" branch in preparation for putting out a new release.
If you believe you have found a security vulnerability in AsyncSSH, please create a draft security advisory or send an e-mail to [email protected] with a description of the issue and details for how to reproduce it. This report will be reviewed and you'll be contacted if further information is required, or when a fix is available.
Published security advisories for AsyncSSH can be found here.