If anyone encounters any security issue it is reported
check open and closed issues with security label
You can see https://snyk.io checks the PRs sent to frappe and erpnext.
Along with security officer we need to have community volunteers for security List of module volunteers - #37 by revant_one
Good thing about being a free software community, multiple parties can conduct multiple independent audits and share insights or fixes.
For foundation members I’ve put this up on agenda for next call :
https://discuss.frappe.io/t/erpnext-foundation-meeting-on-1st-march-2018/33997