One of the things that we have learned needs to be well-managed is vulnerability reporting & management. I am currently working on setting up a HackerOne account for LibreHealth. Hopefully once we have funding we can pay bounties of money and/or swag.
Example: https://hackerone.com/square-open-source
If anyone has concerns about aligning with HackerOne, or other vulnerability management concerns/ideas, please share them here!