Security vulnerabilities are found in OSS programs all the time, how do you tell the difference between negligence/incompetence/mistakes and malicious activity?