[subsystem]

There are specific things that could be said about the bug in question, like not being secure by default, but this doesn't fix the underlying problem. The development team should recognize that security is an important part of the project and act accordingly.

[steveklabnik]

Seems reasonable. How did they not 'act accordingly' in this case? What should be different about the security process currently in place?