I haven't looked into the disclosures or the ClipperCMS code to assess their merit or risk, but when you and other ClipperCMS representatives post that "
These sort of 'security disclosures' are quite irritating", calling them nothing but FUD, there's one thing you're not doing: instilling trust in other people that you are in fact on top of security and that issues have been fixed. That's when people take it upon themselves to share information, because the official channels haven't.
If the issues have been fixed, great, go spread that message instead of blaming it on FUD.
If they haven't been fixed because your assessment of the issues indicates the reports are invalid, then as a project maintainer that is of course your decision to make. I would like to encourage you to fix them anyway as you can't be sure they
wont be abused unless they're resolved.
In my earlier post I tried to give an example of why in my opinion manager authentication is not sufficient protection against vulnerabilities. Those examples may not be applicable today, but you don't know what will happen tomorrow or the day after.