We contract with a group called Hackerone that provides the vetting process with them, and then through responsible disclosures, those vulnerabilities are reported to us to fix them before they're disclosed publicly, so we can resolve any of those vulnerabilities that they find.
On May 29th, 2019. See this statement in context.