Thank you for the response! I was wondering how safe would it be to use the master branch code? Since there is not certainty on the 4.9 release date we wanted to proceed with master branch but we wanted to consult you first. Did it undergo any internal audit or mb is scheduled for one?
We do our best to keep the master branch safe, but bugs can happens. The release branches are way safer, because the release process includes many security operations/review.
Since the master branch is always moving, it can't be audited. The release branch are being audited (this is something new we are actively working on), and any finding will be fixed on master ... but with master always moving you don't know if you are using something that was modified since the last release.
If you really need the latest feature, you can use master for your development cycle ... but then replace master with the latest release before going live.