[maurycy]

It depends on what the threat is.

If the threat is finding vulnerability, then you are right. If the threat is leaking the source code to the competition, then it is a serious matter.

Also, keep in mind the deployed source code is different than just the source code; it usually contains things like the database credentials and such.

[DrJokepu]

Of course, but the "vulnerability" in this article was about the source code in the repository tree, not the deployed one. Also, I believe that database credentials should be stored in external configuration files (which, of course, shouldn't be browsable) so if they do an update, they don't have to add the credentials again.

About leaking the source: Yes, that could definitely be a problem, I agree, but I'm not sure if this can be considered as a vulnerability, more like carelessness on the part of the admin of the site.