First, imho, everyone is responsible for his own security, and if got owned by virus, backdoor or RAS, the fault is their. But! People are able to write plugins 4 bukkit. People are able to put very bad code into that plugins, code like downloading external programms from their places, start them... and... gotcha, your server is carried over by some script kiddie. People are evil (not all people, but many). How is the bukkit-dev-team thinking about this issue? Will they check every plugin for bad code? Will there be a team that do this? Or will they leave the users with the risk of infection? Will there be a middleway, like plugins that are signed 'officialy declared as secure by checking' and plugins that are not, but free to use but a little bit riskier? And whats with autoupdates? Will they be checked before available? Who can promise me, that a plugincoder who once thought 'i will never betray my users' just turn into an evil bad script kiddie that now thinks 'i need a botnet, i will use all the servers using my plugin for that'. Coding such a system has its responsibilities.