Dag Wieers wrote:
At least there is a process of reporting out-of-core security problems.
I dont see how that is relevant, CVE's are open to anyone to report against / for ? so whats your point ?
Why should the Drupal team be responsible of code they clearly do no support ? Go and talk to the module's developers to see what processes they have before you use it.
Sure, that should be something that whoever decided to test and look after drupal ( should we select it ) should do, if the built in core modules are unable to handle the issues we need it to.