Not everybody has to catch those flaws. But if you are a security company and RELEASE that kind of crap, then it wasn't an instance of a poor guy new to security making a mistake, it is a catastrophic failure of your entire organization. Not properly fixing it means even after they were informed of the issue they weren't able to put people with the necessary skills on it. Which means either that the message didn't reach the appropriate people or that they don't employ enough of those. In both cases, you should not sell security products.
This is no small bug that was overlooked in a code review. The pure idea of several things in it is so crazy that even suggesting them is a massive red flag. Actually implementing it?!
If it goes through a chain of command, then ONE person realizing how bad this is should be enough.
This is no small bug that was overlooked in a code review. The pure idea of several things in it is so crazy that even suggesting them is a massive red flag. Actually implementing it?!
If it goes through a chain of command, then ONE person realizing how bad this is should be enough.
(Also, what "Open Source community"?)