Thanks for the reply — really appreciate it.

The company doesn’t deal with health or financial data, but yeah, user impersonation and access to private messages is still serious enough to expect some level of accountability.

I’m holding off on sharing more details for now since mentioning the domain + the vuln might make it too easy to identify the company.

I’m leaning toward a public write-up after giving them fair notice.

One more thing is that the vulnerability has already been fixed (I reported it 3 weeks ago), so not sure how much leverage that still gives.