Fediverse developer, when someone reports a security issue with your software, there is one and only one correct course of action.

Say thank you. Prioritize an immediate fix. Publish a hot patch version for all applicable major versions within hours or days. Publicly acknowledge the report.

Avoid minimisation, whataboutism, personal attacks, and complaining about the work involved.