Question about CVE or disclosure of security issues with Liquid <= 2.5.1?

[h1pmnh2]

I am a security researcher who was working on a bug bounty program recently which was leveraging Liquid 2.4.1. In the course of the research I determined that there were a number of issues which were fixed in later versions of Liquid, but not disclosed as a CVE, and therefore, this program (and others) may not have any way to identify that this version of Liquid was at risk.

Specific issues I was looking at were: #230, #274

Should these issues be disclosed via CVE or similar mechanism so that customers who are running these versions can be aware of the risk (albeit unlikely) of an RCE via these vulnerabilities? I recognize that there was a strong recommendation made to upgrade, and in fact these fixes were cherry-picked for backport to 2.5.x but not earlier versions.

In my research I was able to develop an RCE for each of these issues under specific circumstances (which I am not planning to disclose), but it demonstrated that these could be exploited given the right circumstances.

Related to this (or perhaps not), should there be a list of security best practices for Liquid integrators (i.e. how to use Drops, things you should / should not do in accessor methods or filters) which would make sense to put together?

Thanks for your consideration!