you may not find any security specialist on this forum, thus my suggestion is google for vulnerabilities and look at results of specialized websites that should also report what versions are affected.
A good website would also report what version is known to fix the problem.
This is a more effective way of knowing that those attacks are not effective. Still annoying you in the logs.
In most cases these bugs are reported in an "ethic way" by security specialists, privately to the software producer, giving the time to fix the problem before the bug is made publicly known. And that's what have happen so far with HFS. It implies those bugs are supposed to be fixed in collaboration and normally verified by the same person who has discovered the problem. I once again wanna thank these people who I see as contributors of the project.
I think the "any macro marker" command is good to avoid spamming your logs. And that's all you need, i guess.
The old bug (long fixed) was with regular-expression lib, and that command is using just that.
Just for the sake of conversation, if for some strange reason I was forced to use an old vulnerable version, I would try to protect it using the {.pos.} command instead.
But it's nice that I don't have to.
Also because I'm already using sweet HFS 3