[kevincox]

> If you can't either verify the user has actual access to other people's consoles [...] in 18 hours, then you should probably just close up shop

It's impossible to prove a negative. Maybe they believe that this was user error/malice but are doing more research to confirm this and find evidence of a vulnerability.

[tw04]

>It's impossible to prove a negative. Maybe they believe that this was user error/malice but are doing more research to confirm this and find evidence of a vulnerability.

So it's impossible for me to prove that nobody has walked through my front door today? I'm quite confident it isn't. I'm also confident if they have sane logging in place, they can prove accounts weren't being accessed by unauthorized users.

You're also talking in vagaries like they're hunting a ghost. They've been interacting with a willing end-user who originally reported the error.