A couple reporters for the Drupal 8 bug bounty have targeted drupal.org instead and noted that the session management is somewhat broken in that changing a password for the account in one session (e.g. computer #1) does not expire other open sessions (e.g. computer #2).
This is probably due to using bakery for sessions, while core SQL session would handle this correctly.
Closed: outdated
2.0
Code
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.