I hacked a dating app (and how not to treat a security researcher)

That's crazy to not have responded to his repeated requests!

A company has no duty to report to you about just because you kindly notified them of a vulnerability in their software.

> During our conversation, the Cerca team acknowledged the seriousness of these issues, expressed gratitude for the responsible disclosure, and assured me they would promptly address the vulnerabilities and inform affected users.

Well that was the decent thing to do and they did it. Beyond that it is their internal problem and, especially they did fix the issue according to the article.

Engineers can be a little too open and naive. Perhaps his first contacts was with the technical team but then managament and the legal team got hold of the issue and shut it off.

> > During our conversation, the Cerca team acknowledged the seriousness of these issues, expressed gratitude for the responsible disclosure, and assured me they would promptly address the vulnerabilities and inform affected users.

> Well that was the decent thing to do and they did it. Beyond that it is their internal problem and, especially they did fix the issue according to the article.

They didn't inform anyone, as far as I can tell. Especially users need(ed) to be informed.

It's also at least good practice to let security researchers know schedule of when it's safe to inform the public, otherwise in the future disclosure will be chaotic.

Companies won't inform of vulnerabilities. They may/should inform users if they think their data was breached, which is different.

Not clear why "the public" should be informed, either.

Ultimately they thanked the researcher and fixed the issue, job done.

>Not clear why "the public" should be informed, either.

Because it's the law in some states now.

Furthermore mandated reporting requirements is how you keep companies from making stupid security decisions in the first place. Mishandling data this way should be a business ending event.