I know a few popular open source apps that are straight up insecure. When pointed out, people will call you a corporate shill lol. “Someone must’ve read the code” is what they say. Yes, I did and I’m telling you its no good.