If they manage to keep XSS vulnerabilities off of the pages on their domain(s) for longer than a year I'll be very surprised.
Personally speaking, I'd rather know. If it's a piece of security software it's reasonable to assume the bad guys are already looking at it or using it.
Personally speaking, I'd rather know. If it's a piece of security software it's reasonable to assume the bad guys are already looking at it or using it.