I don't see how this is a 'full report'. For example:<p>> There was a root privilege escalation on one of our platforms which permitted exposure of credentials that were then used to access machines with externally-facing SSH.<p>How are the credentials exposed after escalation? What accounts on the externally-facing SSH machines were used? Why was it a problem that the externally-facing SSH machines could be accessed? Was the access through root accounts? Why do externally-facing SSH machines allow remote root-login?<p>Besides, why can I still download projects when the data validation is still ongoing?<p>Furthermore, the 'full report' does not say anything what SF.net plans about their ssh servers.<p>I understand the SF.net team does its best, but I am not so happy with that report.
Sorry, but this is ridiculous:<p>"Our analysis uncovered (among other things) a hacked SSH daemon, which was modified to do password capture. We don’t have reason to [believe] the attacker was successful in collecting passwords."<p>You don't have reason to believe they weren't either. Why write this?