[enraged_camel]

I think legal's involvement is perfectly normal. Part of damage control consists of figuring out the legal ramifications of the product/service having technical vulnerabilities. Especially if those vulnerabilities leak customer data.

What isn't cool is legal deciding to go after the party disclosing the vulnerability.

[kidmenot]

Not having much experience on this subject, I have to ask: would you not get your developers to verify that the vulnerability is there and fix it while the legal department is doing its thing? The vulnerability is already out there, and the sooner it's fixed the better. While would they forward everything to their lawyers first thing?

[tzs]

If the email contains code or something that looks like code, or otherwise looks like it is discussing technical things it is not unusual to run it through legal before letting any engineers see it.

That's because companies routine receive unsolicited product proposals, ideas for new features or enhancements, and the like. Often these overlap with things they have been working on internally but that are not known to the public.

If they let engineers see these unsolicited mails and then later come out with an even vaguely similar feature they may find themselves in an intellectual property dispute with the emailer.

[kidmenot]

Aw gee, that makes sense, yes. Never worked for a company big enough to need this. Also, I'm in Italy, so some things might work differently here.