There has a been a lot of talk recently about responsible disclosure issues especially with new developers and glory seekers. The VEL team have its own responsible disclosure code, namely that we wont list any Proof of concept or samples. we will only give the bare minimum.. All we ask is
that devs give us details when they update a security issue. As you will see in our listings, we will only say things like "slideshow, xss, 1.8". A little note like that can save people having un-patched versions on their system before they see a disclosure and then may take some time to update giving hackers a chance to exploit it.
It also saves any confusion about what is and what isn't a current vel item.
That's why we ask people for their alerts as soon as possible so people know to update but we don't give hackers the tools to do it. we don't link to POC pages or anything like that.
Some devs also think that hiding the security update in their change log, or saying it is only a small vulnerability, or saying after a page of product glorification that they have patched the script, is responsible disclosure.
We look forward to hopefully having your alert resolutions as soon as you are aware of them