Here is my first impression, brand new registrant; 24 years security experience:
Good: Having logged in, registered, met their minimum password length, step 2 receive an email that asks for verification/confirmation (normal)
Terrible: The email includes, in plain text, my username and “my password, although offering to allow me to change it. <very bad practice> (why prompt for an initial password at all?)
For a web site of security professionals, offering security/malware support, they just violated the basic principles of privacy and contributed to phishing.
Suggest "strongly" that you do NOT email a password to someone that by default, should accept the responsibility of knowing the password that they used to register.
Free advice: 1) The easiest fix, do NOT send the password with the registration confirmation.
2) If you want to be better, do not ask for an initial password at all; instead YOU generate a radom password as part of the registration confirmation. Then, "require" the person to change their password upon logon. <best practice>
3) Believing that (2) might be difficult or a significant change to your registration process, take the easy way. Do not mail someone's password back to them as part of your registration confirmation. Password should be secure, and if anyone does this the correct way, it should be a community of security experts.
In my humble opinion: (IMHO)
If you/we/I am to be anti-spy/mal/virus advocates, then you/we/I must demonstrate by our actions those same practices. Fix your registration process, as the registration confirmation email violates basic privacy standards, and subject the registrant to possible phishing along the way.