> Companies won't inform of vulnerabilities. They may/should inform users if they think their data was breached, which is different.
They who wrote up an API with extremely basic security flaws, and didn't know until someone came and told them. Let's be honest: they have _no_ idea if anyone's data was breached. Users should know so they can be extra cautious, the data in question can ruin lives.
> Not clear why "the public" should be informed, either.
The public will be informed because why would the security researcher keep quiet? They also _should_ know because it's important information for someone considering trusting that company with sensitive information.
> Ultimately they thanked the researcher and fixed the issue, job done.
Hard disagree. It's not the worst possible response, but it's not good and it wasn't done.
They who wrote up an API with extremely basic security flaws, and didn't know until someone came and told them. Let's be honest: they have _no_ idea if anyone's data was breached. Users should know so they can be extra cautious, the data in question can ruin lives.
> Not clear why "the public" should be informed, either.
The public will be informed because why would the security researcher keep quiet? They also _should_ know because it's important information for someone considering trusting that company with sensitive information.
> Ultimately they thanked the researcher and fixed the issue, job done.
Hard disagree. It's not the worst possible response, but it's not good and it wasn't done.