[deep_thinker26]

It's so great that they allowed him to publish a technical blog post. I once discovered a big vulnerability in a listed consumer tech company -- exposing users' private messages and also allowing to impersonate any user. The company didn't allow me to write a public blogpost.

[qmr]

"Allow"?

Go on write your blog post. Don't let your dreams be dreams.

[bigmadshoe]

Presumably they were paid for finding the bug and inn accepting relinquished their right to blog about it.

[hsbauauvhabzb]

No, you relinquish the right when you agree to their TOS irrespective of if they pay you.

[amackera]

TOS != law

They will stop letting you use the service. That's the recourse for breaking the TOS.

[hsbauauvhabzb]

I don’t want to pay for a lawyer to argue that for me. != law does not equate to ‘won’t come with a cost’.

I say this as someone threatened by a billion dollar company for this very thing.

[advisedwang]

Up until Van Buren v. United States in 2020, ToS violations were sometimes prosecuted as unauthorized access under the CFAA. I suspect there are other jurisdictions that still do the equivalent to that.

[qmr]

Being a sellout is weak and sad.

[gessha]

Why is the control of publication in their hands and not in yours? Shouldn’t you be able to do whatever after disclosing it responsibly?

[CER10TY]

Presumably they'll threaten to sue you and/or file a criminal complaint, which can be pretty hard to deal with depending on the jurisdiction. At that point you'll probably start asking yourself if it's worth publishing a blog post for some internet points.

[trollbridge]

Yet another reason these disclosures should be anonymous (from the reporting side).