A further clarification:

If it's determined however that the dev was being intentionally malicious... ala sticking the infamous RM joke into postrm.. thereby laughing at anyone that decides they don't like their app.. Or if someone scans source code of an app in Extras and see's code that is capturing and sending passwords, for example.. and the Dev rushed them to Extras due to a different exploit (we're moving forward, remember?)

That would require immediate banning, notice to the Dev their privs are revoked.. and a more detailed announcement here at what exactly the app did - and if anyone has or ever had installed it they likely need to either:
A) modify their postrm real quick
or B) change all their passwords

Etc. Those affect the users directly in a malicious and harmful way.. and people should be warned.

A lot of a punishment has to do with the intention of the dev. If they circumvented some rules out of laziness or self-gain that's one thing. If they did it to create a mass-virus.. that's different.