In this forum, I don't see why not. Basically, the implementation bug means that the client wasn't following it's own rules. Someone may have found a way to double-spend coin for example that the Client doesn't catch because of how it processes the rules to counter this kind of action.
Is it too early to discuss what happened until more users upgrade?
I am interested in the meta-discussion, about security policy.
In other open source projects, representatives of "key parties" tend to gather on a "vendor security" mailing list that is closed to the public. Vulnerabilities that might have real world consequences are discussed there, and then a coordinated release occurs, where all key players publish the security fixes at the same time.
Since we mostly communicate by forum here, the closest would be a member group that has access to a special forum here just for that issue that the public can't normally see. I'm fairly certain the simple machines forum supports that feature?
I'd support the idea. More trusted members and programmers could post security risks or exploits. Maybe the better way is just to message the developer if they are discovered.Both can work, but a members forum would help to keep out the noise; otherwise everyone will end up messaging the lead developer with every possible thing they here in the news and end up taking his/her time to filter it out on whether it's really a risk or not.
BTW, an important feature of these mailing lists is that anyone can post... but only the "vendor security" group can read the posts.
Thus, it is easy for an outsider with a real security issue to provide detailed information to firstname.lastname@example.org, while preventing unscrupulous people from reading the sensitive information.
I suppose a PM to <somebody>, plus discussion on a closed forum, is the best this forum software can handle.