At Adobe, and on the ColdFusion team, we take product and customer security very seriously.
We have a strict and very detailed internal Product Security Policy that all product teams must adhere to, and I'm proud to say that the ColdFusion team (due to some very early lessons we learned the hard way back in the very early Allaire days), is a sponsor and a major contributor to this policy.
From a pro-active engineering perspective, before every release, the ColdFusion product also undergoes an extensive, open-book, multi-phased external product security audit from a reputable outside contractor who specializes in product security. It's expensive, no doubt, but very well worth it for us and our customers we believe. We open our source code, discuss feature implementation at length, and grant full access to our code and engineers to the auditing firm (who is under iron-clad NDA of course) and work to find potential problems and fix issues BEFORE the product ever gets to a paying customer.
Anyway, just a reminder: PLEASE make sure you are running the latest patch levels for your version of ColdFusion (and all Adobe products), and have reviewed the Adobe Security Zone Advisory list here:
In general, you can be sure that when we release a new Updater or dot (or dot-dot) release, we will always roll up all the latest hotfixes and security fixes into that release, so you know you have the very latest patches on the day it's released. But it's entirely possible that an issue could be found after the latest release has shipped, and an Advisory could be released with a patch, and it makes sense (very good sense!) to make sure you're aware and on top of it.
So we've also provide an email notification service everyone should sign up for:
From that page:
"The Adobe Security Notification Service is a free e-mail notification service that Adobe uses to send information to customers about the security of Adobe products. Anyone can subscribe to the service, and you can unsubscribe at any time."
"With this service our objective is to provide customers with timely and accurate information that can help protect them against malicious hacking. We research issues reported directly to Adobe, issues found internally at Adobe, and issues discussed in public places such as security newsgroups. When we publish bulletins, they'll describe the security issue, its impact, and how customers can protect themselves. The bulletins will also detail what actions Adobe has taken and additional resources that may be available."
Stay patched and stay safe!