Thanks! Comments like yours are what keeps me motivated to continue contributing to open source software.
But although the title is somewhat click-bait, I still think this counts as a vulnerability in my project, since there is a possible combination of default Apache setting and default project files that is exploitable.
Reading blueimp's and larry's comments here I envy their constructivity, open mindedness and professionalism.