Yeah, I think this issue has been widely known for a long time, so I don't think a disclosure period applies. Alex is right to call us out for not addressing it sooner. Starting work on it now. Thanks for the kick in the pants, and sorry we needed it.
Andrey 🦃 Petrov
Great reason for NFT viewers to not render centralized metadata by default (http tokenURI links). Only render content-addressable storage links like IPFS, or on-chain base64 embeds. Also creates a valuable forcing function for NFT creators to Do It Properly™.