I'll raise your false positive and see you in court
Interesting that the bug detection code is, in itself, buggy.
If I use OSS for my security, that is my look out. Normally OSS is great: there are so many eyes on the code that I have a reasonable assumption that bugs will be found, and corrected in pretty fast time. Heartbleed is exception that proves the rule, but, OK it is a biggy. However, I installed the code, it's my look out, and I am responsible for any bleed from my system. My customers will expect that of me.
But if YOU release some code that says I have the bug, when in fact I don't, and you publish this, then that is your look out. If your publicity of a false situation drives people away from my site, then this is libel - and in a commercial site that could cause me to seek redress.
This is doubly so if you then say that my rivals site is clean, when it isn't. Customers being customers, as we know, will register on the new site with exactly the same credentials as they had on the old site. How many of you use the same password on eBay, Amazon, etc? For most everage punters this falls in to two classes of people: Those that use the same password and those that lie. Now, if someone gets their credentials from the new site they go to, which you said was fine, they get hacked, and come after me because you said my site was still broken, what am I going to do?
Paris - obviously, because her site is always free from bugs...... oh?