This is not a one-person project ran by someone in their spare time, posted online for fun.
They are going out of their way to advertise so that people use their security-critical software in security-critical applications, and then they neglect the security.
While they aren't under any legal obligation, it's (in my worldview at least) pretty damn unethical.
All they would have to do to not be unethical is make it clear that this software should not be used in any security-critical application because it is not properly/frequently maintained. Put that in a header on the website.
They are going out of their way to advertise so that people use their security-critical software in security-critical applications, and then they neglect the security.
While they aren't under any legal obligation, it's (in my worldview at least) pretty damn unethical.
All they would have to do to not be unethical is make it clear that this software should not be used in any security-critical application because it is not properly/frequently maintained. Put that in a header on the website.