Alpaca only supports Flatpak packaging officially, any other packaging methods might not behave as expected. Thus, official security-related support is only provided to the Flatpak distribution as of right now. This may be subject to change in the future.
The only ways Alpaca is being distributed officially are:
As Alpaca is a public project with several thousands of users, it's extremely vital to keep it secure. Flatpak confines it already due to sandboxing mechanisms, but nothing is bulletproof.
If you believe to have found a critical security vulnerability, DO NOT disclose it publicly immediately. Allow for it to be patched first and use the contact methods listed in the maintainer's profile (Jeffser) to disclose any vulnerability privately.
Thank you in advance!