🚀JUST SHIPPED:
Continue CLI v1.5.44 shipped, lowkey solid patchv1.5.44Frappe v15.101.3: Workspace Shortcut Fix Shippedv15.101.3Textual v8.0.1: DirectoryTree goes threaded, GC gets leanerv8.0.1Cake v6.1.0 shipped: GitLab pipeline IDs, console colours, and dotnet fixesv6.1.0tRPC v11.11.0: Type Exports and Docs Polishv11.11.0Next.js v16.2.0-canary.70: Devtools, Prefetch Bundling, Cookiesv16.2.0-canary.70sbt 1.12.5 shipped: runner fixes and JDK validationv1.12.5Dokploy v0.28.2: GitHub nulls handled, queries snappierv0.28.2

Security Researcher Gets Sued for Doing Their Job: This Is Why We Can't Have Nice Things

By TheVibeish Editorial
Another week, another security researcher getting threatened with legal action instead of a thank you. This time, someone found a vulnerability, responsibly disclosed it, and got hit with a cease and desist letter. Honestly, this pattern is exhausting. Here's the thing: security researchers are doing unpaid QA for your product. They're spending their time poking at your systems, finding the bugs your team missed, and then politely telling you about them instead of just dropping the exploit on Twitter. The correct response is "thank you," not "we'll see you in court." But companies keep choosing legal threats over gratitude, and it makes zero sense. Every time this happens, it sends a message to every other security researcher: don't bother. Just stay quiet, or worse, sell the exploit to someone who'll actually pay you for it. This is the definition of shooting yourself in the foot. The irony is painful. These same companies will turn around and pay bug bounty hunters thousands of dollars for the exact same work. The only difference? One came through the official programme, the other came through responsible disclosure. Both are helping you secure your product. What's wild is that this keeps happening despite years of evidence that it's a terrible strategy. Every single time a company threatens legal action against a researcher, they get roasted on Hacker News, their reputation takes a hit, and they inevitably have to walk it back with an embarrassing apology. Nobody wins. The fix is simple: have a security.txt file, a vulnerability disclosure policy, and a legal team that understands the difference between a security researcher and a threat actor. If someone emails you "hey, I found a bug in your auth system," your first instinct should be to loop in your security team, not your lawyers. Until companies figure this out, we're going to keep seeing these stories. And every time, the security community gets a little less willing to help. Can't blame them, honestly. Why would you volunteer to improve someone's security if there's a chance they'll sue you for it? The next company that does this deserves whatever embarrassing security incident inevitably follows. You've been warned.

🔥 MORE HOT TAKES