you are correct, and I figured we would have broken the threshold to become a public project by now. It's something we don't have much power over, we need to have bug reports by invited hackers on Hackerone, and until now only a few reports have been coming in (and have been handled of course )
When it comes to security issues, please notify us on the security issues form. That way we can make sure the issue gets fixed before it is published online.
I'll update the SECURITY.md on github as well, thanks for letting me know!
This Post was from: https://www.impresscms.org/iforum/viewtopic.php?topic_id=5899&post_id=50706