In Rust or go, you can of course hide vulns in a contribution, but typically you would have to be submitting a patch to a security sensitive part of the code, or at least the patch would look a bit strange (referencing modules it doesn't need, extra dependencies, et .)

In C, you can typically hide memory corruption vulns anywhere that touches external data, and these are not obvious at all. Not to mention one can make their own bugs without the help of any attacker - and the attacker will just do code review and keep track of them in a private database...