- Feel free to "reverse engineer" the code. In fact, here it is on github if you want to scrutinize it.
- We generally credit security researchers who find real security holes (with limitations for duplicates, etc.). Over the last few years, some of the most critical bugs in PostgreSQL were found by professional security researchers doing things like fuzz testing.
- If you think you've found a security issue, please report it to firstname.lastname@example.org. If it turns out to be a non-issue, we'll tell you, and you can report it as a regular bug.
- Be prepared to answer questions about your report. We showed you our code, you can show us yours.
And please ... update your servers! We send out those incremental updates for a reason, and often as not, there are security patches. More information on our Security Page.
Note: the above is my personal opinion and is not the opinion of The PostgreSQL Project or any other organization.