On security patches, releases, and naming pull requests

[NiklasBr]

Relying on obscurity by not naming pull requests according to the CVE or actual changes is not really a viable security measure. I would even go as far as argue that it is counterproductive: The exploiters who are looking for code to exploit will almost always read the code anyway, and the ones who need to be convinced to install security patches will almost never read the code, only the milestone/changelog.

Therefore I propose at least one of these changes to be made:

1. Name pull requests more truthfully, not [TASK] improve feature X when it is actually [SECURITY] harden code Y
2. Just before a new release is tagged/released, add a [Security] label to the pull requests/issues which are actually security patches.
3. Summarize in text on each release whether or not it contains security patches in addition to the link to closed=1.

[brusch]

Thank you very much for sharing your valuable thoughts. We've recently decided to update our public security policies along with adapting our communication procedure, based on your and our community feedback. This is already in progress and will be rolled out soon.

Thanks for your patience and again for sharing your feedback that helps us to significantly improve our work and product. 🙋‍♂️