There's carve-outs in that for open source hobbyists ("not associated with commercial activity"). This was originally vaguely worded but they've now made it a lot less ambiguous, the only open source it covers is that which is being developed by a company which is also making money directly from it.
(And in the case that a company takes that code and uses it in a product, they are responsible to fix any security vulnerabilities but also to report it to the author)
(And in the case that a company takes that code and uses it in a product, they are responsible to fix any security vulnerabilities but also to report it to the author)