Yeah I'm being a bit more vague than I'd like, I should have taken the effort of going to my pc (am on phone) where I have a password manager to login to the account under my real name. I don't want to connect this one too much.

Without posting the specific exploit, the issue is with the server-side sleep() in the login system. If you spawn enough threads, which you could easily do in the given time from even a 56k modem, it will for some reason crash the whole thing. Tested with a couple friends and all the instances had to be restarted manually, none of them (running on different web servers) withstood it. It's not clear why as the sleep should simply run through and then unblock the threads; for some reason that's not what happens.

Again, this was reported and they don't care. If you want more info, this should be enough to reproduce it without much effort and/or ask them about it (not sure if they made the ticket public, initial report probably was presumably private due to the pre-auth/unconditional nature).

Fair enough, no need to give any up any identifying information :)

That doesn't sound good. I guess as a personal user I'm not too worried about being DoSed, but that would certainly be more of a concern for a large organization evaluating the software.

If that is the case, then I certainly have an 'eyebrow raised'.