"In the interest of responsible disclosure I did try and contact the dev multiple ways, I was either ignored or not replied to and I feel users deserve to know what’s happening with their data."

At the bottom of the post it does state:

In the interest of responsible disclosure I did try and contact the dev multiple ways, I was either ignored or not replied to and I feel users deserve to know what’s happening with their data.

Everyone was already at risk, but they didn't know it. They were already downloading this content to devices everywhere.

He also says that he tried to contact the developer but got no response.

The dev would have been much better off apologizing, pushing a fix, and asking for a temporary embargo while the fix is put into place.

FTA:

"In the interest of responsible disclosure I did try and contact the dev multiple ways, I was either ignored or not replied to and I feel users deserve to know what’s happening with their data."

As you can read in the article, he did try to contact the developer.

That aside, though, when the issues are this egregious I'm honestly not sure what the right approach is. With flaws this bad it's hard to imagine that they're even capable of fixing the problems, let alone responding appropriately to the disclosure.

They seem like really easy problems to fix, too.

Puffchat put people at risk.

Fuck "Responsible Disclosure" in cases of utter incompetence like this.

TFA states precisely this:

"In the interest of responsible disclosure I did try and contact the dev multiple ways, I was either ignored or not replied to and I feel users deserve to know what’s happening with their data."