Comment by Aurornis
4 days ago
Their websites says they're a freelance cloud architect.
The article doesn't say exactly, but if they used their company e-mail account to send the e-mail it's difficult to argue it wasn't related to their business.
They also put "I am offering" language in their e-mail which I'm sure triggered the lawyers into interpreting this a different way. Not a choice of words I would recommend using in a case like this.
This is a good point. I think we get a couple of emails a week for exactly this kind of bottom feeder 'consulting firm' 'offering' to tell us all about some massive security issue they found, as long as we sign up for a 'consulting engagement'[1]. On the other hand, we generally ignore them, not threaten to sue them.
[1] We get about as many 'pay us a bounty or we'll tell the world about this horrid vulnerability we found'. I have suggested to legal we treat those like extortion attempts to make them go away and stop wasting our time but legal doesn't want to spend time on it.