[penguat]

yes, quite clear that they didn't give it the priority it warranted (aka giving a shit) - just wanted to point out that there was a friendlier option timing wise. For my money, I'd have seen this disclosed 11 months ago - it's a serious vulnerability to the extent that I'm glad I've never used moonpig.com - but I'd have seen it disclosed in the UK daytime when the company was awake to be able to shut down its API. There's even an argument to be had that waiting as long as this is a little irresponsible - although that's covered to some extent by following up.

I don't know if it's legal to give advance warning of public disclosure - that could easily become a minefield as it might be interpreted as a threat, and linking it to a request to fix could seem coercive.