Again sounds like a management failure. Why aren't you boss talking with their boss and asking what the fuck is going on, and putting the development on hold until it's been agreed on? Again your boss is the one who is wasting your time, they are the one responsible for that what you spend your time on is actually useful and valuable, which they clearly messed up in that case.

As I already said, management ultimately is the root of the blame. But what you don't seem to get is that at least some of their blame is from hiring dumbasses into that security review role.

Why did the security team initially give the okay to checking signatures on plugin jars? They're supposed to be security experts, what kind of security expert doesn't know that a signature check like that could be modded out? I knew it when I implemented it, and the modder at the partner corp obviously knew it but lacked the tact to stay quiet about it. Management didn't realize it, but they aren't technical. So why didn't security realize it until it was brought to their attention? Because they were retarded.

By the way, this application is still publicly downloadable, still easily modded, and hasn't been updated in almost 10 years now. Security review is fine with that, apparently. They only get bent out of shape when somebody actually tries to make something more useful, not when old nominally vulnerable software is left to rot in public. They're not protecting the company from a damn thing.