Responsible disclosure is pretty much a security industry concept, it's not something that most developers know about, complaining on Twitter is probably what an average person would do.
Although for what it's worth last time I reported a security vuln to Apple using their official process they took around 2 years to fix it (admittedly low priority security vuln, passwords being sent over http).
Wow I didn't believe this at first, so I dug more. AWIS requires the root key of an AWS account. I found a forum that does suggest creating a new account solely for AWIS.
Still I'm surprised they would suggest sending the root key to your account over http. Even if it is just the id and not secret it still seems like something you want to keep secure. I don't use my root key for services. I create new accounts and IAM roles.
> complaining on Twitter is probably what an average person would do.
His twitter account tells
that he is an agile software craftsman, turkey founder and a community guy. And he tweets about devops, open source and other stuff.
An average person disguised as a software developer?
