Was bored and decided to look through a few parts of the codebase I didn't look at last time: found another persistent XSS, a very powerful one, just a few minutes ago. It does require certain conditions, however.
Sorry, not really interested. Already have more than enough of my own cheap VPSs. Still willing to accept other offers. Not trying to be a dick here, I just want to have at least a half-decent incentive to divulge these.
Honestly, there are probably plenty more bugs hiding somewhere. I get lots of bad "vibes" when looking through this code. You guys need to revamp your entire coding style. Use a templating system that auto-escapes all markup output, and use an ORM or at least some kind of abstraction that utilizes SQL query paramaterization by default.
It's really hard to believe large, popular web projects like this one are still clinging to coding styles of 2003, when it's 2013. Then again, it is a PHP project, so I guess I can't expect very much.