I find often that conversations between lawyers and engineers are just two very different minded people talking past each other. I'm an engineer, and once I spent more time understanding lawyers, what they do, and how they do it, my ability to get them to do something increased tremendously. It's like programming in an extremely quirky programming language running on a very broken system that requires a ton of money to stay up.

Could you post on HN on that? Would be worth reading.

And are you only talking about cybersecurity disclosure, liability, patent applications... And the scenario when you're both working for the same party, or opposing parties?

I'm talking about any situation where a principled person who is technically correct gets a threatening letter from a lawyer instead of a thank you.

If you read enough lawyer messages (they show up on HN all the time) you will see they follow a pattern of looking tough, and increasingly threatening posture. But often, the laws they cite aren't applicable, and wouldn't hold up in court or public opinion.

> they follow a pattern of looking tough, and increasingly threatening posture. But often, the laws they cite aren't applicable, and wouldn't hold up in court

And it takes years to prove that and be judged as not guilty, or if guilty (as OP would likely be for dumping the database), that the punishment should be nil due to the demonstrated good faith even if it technically violated a law

Wouldn't you say the threats are to be taken seriously in cases like OP's?

No.

I'm curious to hear your take on the situation in the article.

Based on your experience, do you think there are specific ways the author could have communicated differently to elicit a better response from the lawyers?

It would take a bit of time to re-read the entire chain and come up with highly specific ways. The way I read the exchange, the lawyer basically wants the programmer to shut up and not disclose the vulnerability, and is using threatening legal language. While the programmer sees themself as a responsible person doing the company a favor in a principled way.

Some things I can see. I think the way the programmer worded this sounds adversarial; I wouldn't have written it that way, but ultimately, there is nothing wrong with it: "I am offering a window of 30 days from today the 28th of April 2025 for [the organization] to mitigate or resolve the vulnerability before I consider any public disclosure."

When the lawyer sent the NDA with extra steps: the programmer could have chosen to hire a lawyer at this point to get advice. Or they could ignore this entirely (with the risk that the lawyer may sue him?), or proceed to negotiate terms, which the programmer did (offering a different document to sign).

IIUC, at that point, the lawyer went away and it's likely they will never contact this guy again, unless he discloses their name publicly and trashes their security, at which point the lawyer might sue for defamation, etc.

Anyway, my take is that as soon as the programmer got a lawyer email reply (instead of the "CTO thanking him for responsible disclosure"), he should have talked to his own lawyer for advice. When I have situations similar to this, I use the lawyer as a sounding board. i ask questions like "What is the lawyer trying to get me to do here?" and "Why are they threatening me instead of thanking me", and "What would happen if I respond in this way".

Depending on what I learned from my lawyer I can take a number actions. For example, completely ignoring the company lawyer might be a good course of action. The company doesn't want to bring somebody to court then have everybody read in a newspaper that the company had shitty security. Or writing a carefully written threatening letter- "if you sue me, I'll countersue, and in discovery, you will look bad and lose". Or- and this is one of my favorite tricks, rewriting the document to what I wanted, signing that, sending it back to them. Again, for all of those, I'd talk to a lawyer and listen to their perspective carefully.

> which the programmer did (offering a different document to sign). \n\n IIUC, at that point, the lawyer went away

The article says that the organization refused the counter-offer and doubled down instead

> he should have talked to his own lawyer for advice

Costing how much? Next I'll need a lawyer for telling the supermarket that their alarm system code was being overlooked by someone from the bushes

It's not bad legal advice and I won't discourage anyone from talking to a lawyer, but it makes things way more costly than they need be. There's a thousand cases like this already online to be found if you want to know how to handle this type of response

Sounds very usa-esque (or perhaps unusually wealthy) to retain a lawyer as "sounding board"

> This sounds like a cultural mismatch with their lawyers.

Note that the post never mentions lawyers, only the title. It sounds to me like chatgpt came up with two dozen titles and OP thought this was the most dramatic one. In the post, they mention it was a data protection officer who replied. This person has the user's interests as their goal and works for the organization only insofar as that they handle GDPR-related matters, including complaints. If I'm reading it right, they're supposed to be somewhat impartial per recital 97 of the GDPR: "data protection officers [...] should be in a position to perform their duties and tasks in an independent manner"