Apparently the flaw was added to the config file in post-processing after it had completed testing. So they thought they had testing, but actually didn't.