[Keyframe]

[3] https://supabase.com/.well-known/security.txt

That "What we promise:" section reads like a not so subtle threat framing, rather than a collaborative, even welcoming tone one might expect. Signaling a legal risk which is conditionally withheld rather than focusing on, I don't know, trust and collaboration would deter me personally from reaching out since I have an allergy towards "silent threats".

But, that's just like my opinion man on your remark about "XYZ did not follow our responsible disclosure processes [3] or respond to our messages to help work together on this.", so you might take another look at your guidelines there.

[simonw]

I hadn't noticed it before, but it looks like that somewhat passive aggressive wording is a common phrase in responsible disclosure policies: https://www.google.com/search?q=%22If+you+have+followed+the+...

[pvg]

"Responsible disclosure policies" are mostly vendor exhortations to people who do a public service (finding vulnerabilities and publicly disclosing them) not to embarrass them too much. The fact they contain silly boilerplate is probably just a function of their overall silliness.

[Keyframe]

ah well, sounds off-putting to say the least.