They must fix security holes. They don't have to make internal protocols public. These are not comparable investments of time, either.