it has already found some things that are not actively exploitable, but should still be fixed as good defensive programming practice.