[spot]

it's secure and open source.

[stevehawk]

Nothing is "secure".

[strcat]

It's more secure than JavaScript, which is a start. Dropping the need for just-in-time compilation while gaining performance is nice.

[icebraining]

When has JavaScript itself (and not the APIs, unless it's a JS-specific problem) last enabled an exploit in a major browser? I can't remember it.

Meanwhile, here's a NaCl sandbox escape exploit from March: https://www.exploit-db.com/exploits/36311/