On 5 Aug,2014, at 13:25 , Bruno Oliveira <bruno@abstractj.org> wrote:

On 2014-08-05, Erik Jan de Wit wrote:
We had this discussion before and I still feel that this course of action is wrong. It’s like let’s update the java library that we created when there is a security error in java.

That **must** be the correct approach, most part of the time the cause
of people exploiting security vulnerabilities is because the software is
outdated. Do you want to engage our developers to ignore it?

It’s not cordova itself that is vulnerable it’s one particular version of a platform ( 3.5.0 android ). I’m not saying that people should ignore security, just that we use a runtime and we cannot be held responsible or control what version of that runtime people are using