The DefectDojo team aims to release at least once a month, on the last Tuesday. Bugfix or security releases can come at any time.
In doubt, GitHub Actions are the source of truth. The releases are semi-automated right now, with a DefectDojo maintainer proceeding with each major step in the release. The steps for a regular release are:
devand prepare a PR against
master(details) –> A maintainer verifies and manually merges the PR
devis created to re-align the branches (details)
PRs that relate to security issues are done through security advisories which provide a way to work privately on code without prematurely disclosing vulnerabilities.