We will not delete the post. If we were afraid of having discussions on our site, we wouldn't have a forum in the first place. As you can see - everyone here can speak. Of course, if they follow our forum rules.
As for the subject:
1. This exploit only appears if you run a custom Host installer with the "Generate ID" function enabled AND if you click the "Tell me more" button.
2. This bug can only potentially be exploited by the remote user himself - to elevate their permissions. Yes, perhaps there might be other far less probably uses, but overall it has a very limited application/scope.
In this specific case marking your post as "BIG SECURITY ISSUE" could be misleading. Someone who visits our forum may think that our software in general has a big security issue that applies to absolutely all cases, which is very far from the truth.
So instead of posting here on the forum you could just send us a ticket or an email, and this bug would have been fixed in a few days without anyone even knowing about it, which is good for security. Security issues are not something that should be immediately disclosed - it is advisable to contact the developers privately first, and see how they respond. And if they don't respond and refuse to deal with the issue it may be time to use public pressure. Unfortunately, you decided to use public pressure right from the start as if we were unresponsive or unwilling to fix issues.
We never said that we didn't like when our customers or users let us know about exploits in our software. Quite the contrary, we can only be thankful for that and we encourage users to send us security bugs - the more the merrier. However, our concern is that making such information public BEFORE the bug is fixed is somewhat imprudent and can diminish security for existing users who use that specific feature. This is certainly not a proper way security bugs should be dealt with.