Incrementing user IDs and a default password for everyone — so the real vulnerability was assuming the company had any security to disclose to in the first place.

At this point 'responsible disclosure' just means 'giving a company a head start on hiring a lawyer before you go public.'