[mikeash]

Personally, I don't see how responsible disclosure can really apply to cases like this.

This is not some obscure vulnerability. It's a deliberate design decision with obvious tradeoffs. It's analogous to a bank keeping deposits sitting on tables in front of the building. It's obvious to anyone who looks, and it should have been obvious to the person who came up with the scheme.

The point of responsible disclosure is to give companies a chance to fix a vulnerability before it becomes widely known. That doesn't work when the problem is obvious to anyone who glances at it, because you've lost your chance at "before".

For something like "you can hijack session cookies sent over an unencrypted connection", I can see how that would warrant responsible disclosure. But for "this entire feed is dedicated to sensitive information, and it's sent in clear text by the very nature of the protocol you've chosen to deliver it", it doesn't seem like it works.