I mean, we can just look at the official GitHub’s list of security issues to find a few of them really quickly. And note that many of the previous security issues they have “closed” were only due to 120 days of inactivity, not because they were actually fixed.

Anyone who says Jellyfin is secure enough to put on the internet is either grossly misinformed, or outright lying. Lemmy has a lot of apologia for FOSS, and Jellyfin is one of the worst offenders. Many users will be quick to comment “lol my instance has been port forwarded for years and has been fine” like it’s a valid security audit. I love FOSS. What programmers are able to do in their free time, just because they see a need and want to fill it, is honestly amazing. It’s a modern world wonder. But that doesn’t mean we should excuse bad security practices, or encourage users to relax their threat models just because something is free.