The README for this project omits some critical information.

Most obviously, when used in the US District of Columbia Vote-ByMail (VBM) trial in 2010, this software was thoroughly compromised by a team from the University of Michigan. See
Attacking the Washington, D.C. Internet Voting System Scott Wolchok, Eric Wustrow, Dawn Isabel, and J. Alex Halderman

Even assuming that the specific bugs they identified may already be fixed, they note that the architecture of this software reveals a "brittle" approach to security, and the use of COTS code is also problematic since COTS developers commonly use a "penetrate and patch" methodology. Rather than carefully building in security defense-in-depth from the beginning, developers most often only react to demonstrations of "penetration", and apply "patches".

For example, besides the many many issues with the software and the deployment in DC noted by the Michigan paper, this software also relies on a flawed ballot marking approach. It requires users to mark their ballots via their own PDF software, and upload the PDFs to this software. It was quickly discovered that for users of Safari on the Mac, using the native built-in PDF support, the SAVE AS command saves the unmodified blank PDF of the user's ballot, instead of the modified version that contains the marks with the user's votes. This would likely disenfranchise some voters who would think they had voted just fine.

Also, allowing users to upload their own PDFs to the online server, which are then interpreted by the offline tabulator, also allows for attacks on that offline tabulator via cleverly-crafted PDF files.

It is also a usability problem, since many users will not have used a PDF form-filling application, and such applications often have other usability issues, such as not allowing a user to deselect a choice once a choice has been made.

I heartily applaud the developers and the DC BOEE for releasing the code as open source, and having a public trial to provide some chance that security flaws would be found. But the lessons learned should also be incorporated into the publicly posted repository!