I'm not arguing they are under any legal obligation, but holding people responsible for something doesn't have to be a legal thing.
I feel that any open source software that I have released I have a moral obligation to fix any security issues, or if I am unable to for some reason, clearly stating that they exist. It is irresponsible to leave your software available with a known security issue.
I feel that any open source software that I have released I have a moral obligation to fix any security issues, or if I am unable to for some reason, clearly stating that they exist. It is irresponsible to leave your software available with a known security issue.