What kind of defects and security vulnerabilities are we talking about? If they do static analysis (from website): we already use strcat, strcpy and sprintf 211x in all (all my checkouts) Xfce components. It's not that I'm against this, just curious... Greets, Nick