I'm fine switching up to 2.49 instead, and demonstrate the attack there. If I do find a bug in 2.5's source code, like say a memory leak or a possible worm attack, I'll report it as necessary.