I would like to get confirmation on how the WinSCP application is updated?
is it community driven updates?
is there a security vetting process to ensure vulnerabilities/backdoors are not introduced?
If a security related issue has been identified which is deemed a critical risk, what are the timescales (estimated) for resolving these type of issues?