I found a Vulnerability. They found a Lawyer

A scuba instructor-turned-security pro says he found a shockingly simple login flaw at a big dive insurer: accounts used numbered usernames and a single default password—no lockouts, no extra code step (what techies call MFA), and lots of people never changed it. He reported it with a 30‑day embargo, waited months, and says the company’s answer was… lawyers. The hole is now patched, but he hasn’t seen proof users—some of them kids—were warned. He refused to sign a broad silence pledge and asked for clarity.

The comments? A shipwreck of emotions. Veterans like xvxvx are exhausted, saying this is exactly how companies ignore security “with serious legal muscle” behind it. One camp is chanting “name and shame”, with refulgentis arguing Europe’s GDPR (privacy law) would trump corporate bluster—cue memes about a “GDPR boss battle.” Another camp, led by desireco42, wants a cleaner process: report straight to a national authority and let them handle it like a referee (and maybe pay a bounty). Then there’s vaylian’s hardline take: never sign anything when lawyers show up “to dominate.” The comic relief? A side quest accusing the post of sounding AI-made—circuit10 did a quick check and backed off. The internet’s verdict: from scuba bubbles to subpoena troubles, and apparently you could count to ten and log in.