One of my colleagues recently discovered two security vulnerabilities in Activiti, but was unable to get a response from Alfreso and posted details on the oss-security list:
I am making this post in the hope that someone in the development community would be interested in resolving these vulnerabilities. I can provide more specific details privately; I do not wish to make end users more vulnerable by posting exploits publicly.
I made several attempts using the Alfrecso contact form reaching out for someone to contact me privately so I could forward on the security details. I received a number of confirmation emails, but nobody ever responded to the emails.
Thanks for letting us know. I can only assume that someone assumed that as Activiti Explorer is not supported in the Enterprise version, that this would be dealt with through Community channels. I will investigate to understand where the lapse came, as the Activiti team are very committed to the Activiti Community and would not want to expose anyone to security risks.