they suffered a bad hack with their lightning hub awhile back, not sure if there are any more security holes... who knows. I wouldn't run a lightning hub unless it was written in haskell or rust
Discussion
there were many
SQLi that did not get fixed for months, as they passed all JSON field named verbatim
I think this is still true today but if the node gets restarted or any form of network errors happen the payment will be considered failed
they did not account for hold invoices in eclair
they have not properly audited their access control code
and more