I hacked a dating app (and how not to treat a security researcher)

> I have been met with radio silence.

Thats when its time to inform them you are dumping the vuln to the public in 90 days due to their silence.

Good way to get yourself sued and have possible criminal charges brought up to you.

Which has never happened before and if it does then the EFF would back you presumably.

This is a completely uninformed comment. Security researchers get sued or threatened all the time. Bunnie was threatened by Microsoft for publishing his research on Xbox vulnerabilities, the city of Columbus sued David Ross for his reporting on data exposed during a ransomware attack, Google has threatened action against a few security researchers if memory serves and that is just what I can remember off the top of my head.

The government of Nova Scotia, Canada used to host its FOIA releases (similar to American freedom of information laws) on a website, with a URL along the lines of server.example.gov.ns.ca/foiadoc?=00031337

They are public and intended to be publicly accessed. A clever teenager [1] noticed -- hey, is that a sequential serial number? Well, yes it was. And so he downloaded all the FOIA documents. Well it turns out they aren't public. The government hosted all the FOIA documents that way, including self-disclosures (which include sensitive information and are only released to the person who the information is about). They never intended to publicly release a small subset of those URLs. (Even though they were transparently guessable.)

Unauthorized access of a computer system carries up to 10 years in prison. The charges were eventually dropped [2] and I don't think a conviction was ever likely. Poor fellow still went through the whole process of being dragged out of bed by armed police.

[1] https://www.cbc.ca/news/canada/nova-scotia/freedom-of-inform...

[2] https://www.techdirt.com/2018/05/08/police-drop-charges-file...

Why did they charge the teen and not the government of NS?