Is the author obligated to fix the broken code? If they aren't willing to fix it, would you prefer they said nothing and left everyone using insecure crypto?
Definitely not. That's why I said it I think it's great that this stuff is brought to the surface. I can see how what I wrote isn't entirely clear though. What I am trying to say is that it would be nice if the message also aimed at encouraging contribution to open source software as well. It seems healthier to OSS as a whole to encourage improvement rather than abandonment.
There is simply no way that realistically a third party contributor will rewrite a core part of a platform product for a company that generally does not accept such work, and has an enterprise version of the software that really gets all the goodies instead, which is where their focus is.
It definitely is open source insofar as it being a public repository that accepts contributions. However, the disclaimer at the top of the repo does seem to suggest that free offerings might be scooped up and put to other uses... I can see where the degree of "open sourceness" might be questioned in a case like this. I will re-iterate that I am willing to accept that there might be other politics at play here.