Comment by xocnad

I am apprehensive of the surveillance state and it's potential for misuse. However this disclosure content is less than ideal:

- It mixes two separate issues 1) embedded default API key and 2) unauthenticated token minting

- The bulk of the disclosure focuses on enumeration of sensitive data that is implied could have been exposed via the default API key, but what is actually exposed is unclear: "The 50 "portal:app:access:item" privileges reference private item IDs that cannot be inventoried without actively querying each one which I did not do"

- The default API key was for "development" and there is no assertion that live data existed in that environment (though it wouldn't surprise me)

- The default API key was fixed in June 2025, it is only the token minting that has not been.

- The token minting issue is only asserted to "grant access to the geographic mapping of Flock's camera network locations" which would certainly be useful as a source for unethical updates to https://deflock.me/ but obviously not nearly as sensitive.

(And I've always used bullets/lists in my communications, long before AI did this)