If you get a severe vulnerability reported to your OSS project, it will probably depress you.

If you are a multi-billion dollar company securing customers internet connectivity, it seems not to.

https://www.youtube.com/watch?v=6wMXEiFiueM

- BGP consultant started fuzzing the 255 possible BGP route attributes (not that large a space) in *2023*!
- a bag of finds, affecting half the vendors
- None of the vendors has a bug bounty program

Your OSS project is doing fine!😌