For those out there poking the code, please disclose responsibly! Don't just make a public post about a security vulnerability, reach out to the devs first to give them a chance to create a fix.

In a weird roundabout way a disclosure gives me more reassurance.

If a software package went on for years and years without a peep with regard to security fixes or disclosures, I'd start to wonder what they're hiding.