Comment 25 for bug 1507841

Craig: My question was really more from the perspective of how the VMT categorizes this report, and then how we act on it. I'm having a hard time reconciling the argument that there is a list of backends with (likely) no authentication implemented, but one of them is considered a security vulnerability while the others are simply considered an incomplete/experimental feature implementation. Consistency would dictate that they're all security vulnerabilities (which we then need to fix and announce) or all incomplete features (which can just be fixed when convenient and some documentation published indicating that you shouldn't really rely on them in untrusted environments until a later release).