Well, one person to put up the PR and one dude to approve it - back in 2015. It isn't the security researcher's fault.