This is a regretful answer, because it means that Launchbox doesn't take it's security seriously. I was hoping the official response would be more professional.
"Dude trust me" doesn't fly in today's security environment. If I planned on continuing to use Launchbox - which, based on this response, I won't - I would want to know the answers to the following questions:
- What steps have you taken to ensure that your codebase hasn't been compromised?
- Has there been a review of recent commits?
- Has there been a review of the build tools to make sure they're not compromised?
- When was the last security audit of LB systems?
A common method for malware to be inserted into legitimate software is for the build tools themselves to be compromised - I'm posting this in hopes that a lesson can be learned - but the arrogance of the entire LB team's reaction to a serious concern has me officially done with this solution.
Hope you guys figure out how to respond to security concerns in a more professional manner in the future.