It's bad when a security researcher finds a critical security flaw in your software. But when he finds about 40—all of them critical? Well, then you might consider rewriting the entire thing ...