On January 9th we released Commerce 0.10.3 with an important security fix. Disclosure for that bug is planned for February 12th.
Edit Feb 12: the disclosure can now be found here: