There are comments elsewhere in the discussion indicating that these attacks tend to be discovered by automated scanners and the maintainers themselves, not by customers negatively impacted.
i had the same thing in mind, though, is not that part of the process until the release of available? should not the release already have the maintainers input?
