Well, due to the nature of mercury, it's impossible to know. The key server is a blind-signer which is agnostic to whether its users are on testnet, mainnet, signet, etc. 

The vulns themselves are in the client code, and mercury has no insight as to who (if anyone) is running that code, or what networks they're running on. No way to notify them besides publishing.

conduition

bitcoin

Mercury Layer Vulnerability Disclosures Report

> Hopefully by the time you’re reading this report, these vulnerabilities have already been fixed and aren’t deployed in any production systems handling real money.

@conduition isn't even sure themselves. This disclosure doesn't look good. 