Comment 2 for bug 1915308

I suppose whether this is effectively exploitable by an attacker and whether it can be safely fixed with a source patch in supported stable branches will determine whether we publish an advisory (OSSA). Also it doesn't seem like it's severe enough to warrant discussing in private even if it is exploitable in some cases. What do the Horizon core security reviewers think? Shall we switch it to public or is there additional risk here which isn't immediately apparent?