In what regards? Caddy has never been vulnerable to a number of widespread CVEs including Heartbleed, DROWN, POODLE, and BEAST. Caddy uses TLS_FALLBACK_SCSV to prevent protocol downgrade attacks. Like any other web-facing service, it's exposed to DDoS attacks. I've never heard of a machine being compromised by exploiting Caddy...
If anyone has a vulnerability to report, please email me directly[1] (or if it's not serious, a PR would be faster).
