code: You're wrong about the minimizing the damage. I get what you're trying to say, but you occasionally leave out the possibility that such disclosures can cause (financial) damage without even having to be true. Something which we had to assume until proven because the formal requirements of reporting had not been fulfilled and we were caught off the hook by a bug. That's why they are in place, and lots of bug bounty programs have this mechanism in place to push people to report and investigate privately. I deduce his intentions based on the fact that he chose to ignore the formal requirement. We don't weasel out of shit, I speak for myself and I'm not in charge of the bounties.

I have given my research to sdcdev, I too figured out it was vulnerable after investigating the code. We started work on fixing this bug as soon as possible.