That’s exactly the problem with many open source projects.
I recently experienced this first hand when submitting some pull requests to Jerboa and following the devs: As long as there is no money funding the project the devs are trying to support the project in their free time which means little to no time for quality control. Mistakes happen… most of them are uncritical but as long as there’s little to no time and expertise to audit code meaningfully and systematically, there will be bugs and these bugs may be critical and security relevant.
But isn’t this kinda like the one click hosters like Rapidshare or Megaupload? Those services (at least the big ones I think) have been taken down for copyright infringement although they had the benefit of the doubt because data was stored fragmented and encrypted. Or am I not seeing something important?