Explained at
and
Thanks Matt Austin for finding and reporting these!
This is all now fully public. The first should affect Caja/original-SES as well. For both, the impact is small. If you know of any projects using SES or original-SES that are not on the addressee list for this message, please forward.
On SES-strategy, let's have a public conversation about what kind of shared responsible disclosure process we want to set up for vulnerabilities that potentially affect both SES and original-SES. Thanks.
--