If people knew about all the vulns in their software the vulns wouldn’t exist. You can’t disclose if you don’t know. And establishing when you “should” know or what counts as an actionable report will require basically a lawyer to untangle. CYA = hire a lawyer for your open source code. No thanks I think I’ll keep it on my drive and off GitHub.