[procinct]

I can’t help but feel that posting this in a HN comment when they’re showing off the site isn’t exactly responsible disclosure.

[hartator]

Responsible disclosure is meant when it can jeopardize user data or user devices. It’s reasonable to assume none of that apply for a brand new service. Specially now everyone is learning from it.

[dqpb]

I disagree. I see HN as a community of people involved in similar pursuits, and demonstrating issues like this publicly is educational for everyone.

[DavideNL]

Sure, but you can "demonstrate" the details after it's fixed.

[SlowRobotAhead]

Seems like a lot of damage could have been obviously omitted by just removing anything os.system(), which for the purpose (not effect here) of Duolingo style education should have been just fine.

I get your point and the other guy’s too. I line up on the side that disclosures should be messy and embarrassing sometimes, as incentive to really think about what you are doing. The danger here is low.