One pressing problem facing cryptocurrencies today is the security risk of latent implementation bugs. There are thousands of cryptocurrencies created by developers with varied levels of experience, and attackers can easily and anonymously exploit cryptocurrency vulnerabilities for financial gain. Cryptocurrency developer teams often lack disclosure policies and clear plans on how they might respond to vulnerabilities, putting disclosers and users at risk. In this talk, I will discuss lessons learned for disclosers and developers and remaining open questions based on three different vulnerability disclosures: hash function collisions in IOTA, a chain split bug in bitcoin-abc, and an inflation bug in bitcoin-core. Note that all of these vulnerabilities were disclosed, fixed, and to the best of our knowledge, not exploited.