Well, now that GOG knows about, isn't it enough? I mean, haven't they either already solved it or working to solve it?
You're not a developer, are you?
"Check the code of the entire site for vulnerabilities" is an impossible task.
"Thread titles accept HTML tags as input, and the forum software will interpret them as such. Fix it" is a very easy task.
Fixing a problem you don't
know about is not nearly as easy as one you do