Re: "at least one being a buffer overflow"
Within the last few months I and another reviewer asked an open-source project lead to reject a PR because its API alone had a buffer overflow vulnerability - it didn't even pass the size of the buffer at all, let alone check the data fit...
The author of the PR then spent the next few weeks denying there could be a problem, and calling us trolls.
They even said that the test case was "not a valid file" and so they wouldn't fix it.
I don't know if that particular idiot works in the industry, but if they do it's pretty obvious that their professional projects will be worse...
