This is a general question regarding F-Droid that we already asked on their website years ago (and still got no real answer):
Does anyone of you know any reliable source to prove the claim “F-Droid’s security experts check each app for security vulnerabilities before uploading them”?
We read such claims over and over again, but never found something that proves this. For us, it looks like a wrong assumption since F-Droid’s website states that a lot of automation is involved to update apps. Besides, there are sometimes apps available which contain publicly-known security vulnerabilities (e.g. OpenVPN wasn’t updated for months some while ago). And you don’t “just check” an app for security vulnerabilities. This is an extremely time-consuming process if done thoroughly. F-Droid obviously doesn’t employ an army of security professionals.