It is promising that they published this but damn those were some serious vulnerabilities.
Also think this is important:
The limited timeframe of FWD-01, however, did not make it possible for Cure53 to cover as much of the ecosystem as desired.
In particular, the mail stack and the internal services received only cursory attention relative to the web and API. For this reason, Cure53 strongly recommends continued retesting of the in-scope components in future engagements, as these are needed to maintain and extend the existing security posture observed during this initial May 2026 inspection.
For me personally it would not be mature enough. The fact they got this done is super positive don’t get me wrong, but the findings in the limited timeframe would leave me thinking more security improving and testing is needed.
It would be fair to say these vulnerabilities are not uncommon at big providers either. But larger companies have dedicated security teams to make sure these things are solved quickly, rather than priotizing speed to market and fixing things after pentest.
I agree
Notably Cure53 recommends retesting and additional testing:
Once all findings are fully resolved, Cure53 recommends to once again test the Forward
Email server configuration and the security codebases. More in-depth investigations are
needed to, first, ensure the completeness of the fixes and, second, to ensure that no other
severe threats continue to be hidden deeper within the complex.