My name is Tsvetomir and I'm part of the Kendo UI team. I'll try to address your questions below.
Your understanding is correct on all four points.
As for your question, currently we do not notify customers of security bugs that are not yet fixed.
I'm not sure what would be the right approach here.
Disclosing details about exploitable vulnerabilities before actually fixing them will just extend the window of vulnerability.
That said, security issues are a rare occurrence and usually can be traced down to a particular user setup.
The framework is passive for the most part and needs a specific configuration to issue requests, output data and so on.
For example, using a template that does not escape HTML "#= dataItem.evil " vs a one that does - "#: dataItem.evil #".
I hope this helps.
Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI