I'm one of the project leads of Gitea (and am paid for some of my work on Gitea), and here are some more details around the specific incident you are talking about: We were alerted to an issue, and investigated provided a patch, and then waited until the end of the embargo to release the next version with the fix. It turns out they had sent a follow up after our response to them that, due to their usage of an email relay that gets blocked for spam often, went into the spam box for all of the maintainers on the security team (across multiple mail providers). We informed them of this and they still haven't corrected the record on their blog post. This is after previously giving us 10 and 2 day "embargoes" on "severe" issues and a multi-hundred line patch that rewrote core portions of the codebase and introduced issues in itself, we notified them of this and provided them with out patch. In our interactions with them we have also followed our documented approach, that we have followed with codeberg previously (that we were thanked and applauded), but they have changed their stance and claimed we are now acting improperly (and when we asked for how we could adjust our approach to something that works for their adjusted expectations we never received a response, even after receiving multiple emails from multiple non-company maintainers and even messages in multiple chatrooms).

Disclaimer: I was also previously an elected member of Codeberg's board (presidium), where before the company that was founded to support Gitea's community maintainers was created, I had asked for assistance with multiple matters to aid in project development and was denied.