I agree, mistakes and vulnerabilites happen in all software commercial and open. Now I can only speak for RetroDECK but, we also make mistakes and need to do minor patches to fix those.
I think Jorge and the team handled it as you should: Be transparent, inform on all channels they can and learn from your mistakes.
Me personally have full confidence in them.
Those that try to hide or shift blame of mistakes are a bigger red flag in my book.
How about Gitea?