- I don't remember us ever marking a security vulnerability as
  'security/fixed' when it was only fixed in Git. I don't think that we
  should do this either.
- There is no "Affected versions" section below and it's probably fine
  like this.