Open source means that the code is available for security evaluation, not that it necessarily has been evaluated by anyone. This is an important distinction.
Understood. My question is, how do I know if it has been evaluated by anyone. And when somebody evaluates the code, and finds a problem, is Github the place where it will be reported?