thanks for the laugh. Even if you only meant people from the US this is likely not true. What about government websites at .gov? 99% never visit them?

In other countries local TLDs are of course normal (e.g. .it for Italy, .za for South Africa, .cn for China...) and not only used for scam links.

That depends on jurisdiction. E.g. in South Korea true statements can constitute defamation too

You make it sound like a significant amount is going to Kreml but I assume the API cost for using Yandex from Kagi is neglectable and only a fraction of that goes to the Russian government. Isn't this more of a symbolic thing to request not cooperating with Russian companies?

For some people it doesn’t matter how negligible. And it’s better to know and make up their own mind.

I think that "it's better to know" only really holds up if the scope / context is also included. To put it in concrete terms, I'd amend your statement like this:

Kagi indirectly funds the Kremlin's regime by paying for Yandex API access.

And you are not worried enough about other users that you reported the compsny or at least name them here?

Can a non specific password constitute a specific protection? I guess no

It can. The fact there is a password, even if you can trivially find said password, is considered a protection. The German law is completely absurd here.

Sure they might get rightfully scared because their neglect caused potential issues for their customers and having that public might decrease revenue.

But that is ok I think. They should get scared enough to not risk such a neglect again

But that is the intention, isn't it? The company showed neglect. The researcher has a moral right ( and I would say duty) to make that public. It's nice of them to give the company some time to get their shit together. After the vulnerability has been fixed there is no issue for customers in publishing about the neglect. The bad press for the company is deserved.

The idea was change the initial approach and not mention deadlines and just see if they’ll fix it. Point to the law indicating they should notify the authorities. Then if they don’t respond, give them a timeline tell them you’re notifying them. Like the original post said this is not Google, not a tech company, this looks like extortion of some sort to them. So it’s not that surprising what their response was.

It all depends on the goal. Is the goal for them to fix it most of all? To get them embarrassed? To make a blogpost and get internet points?

2fa does not mean smartphone. There are other variants too

That's why passkeys were introduced. Can not fish them

Which is a problem because someone you need to.

The industry still doesn't understand the concept of delegation of authority and the fundamental role it plays in everyday life.

It also doesn't understand the idea of people making mistakes and the need to have robust recovery paths either.

What else would it mean?

That you are buying a bundle and it doesnt matter how much of the bundle you use you pay the same amount every billing period?

So if I buy entry to the swimming hall that allows me to be there for 4 hours but also allows me to leave earlier you would call that a flat rate?

I have never noticed there are people who interpret it that way.

If it allows you 4 hours total per month yea

That you are charged a single fixed fee regardless of usage.

Nothing about that prevents a usage cap.

A cap pretty much is the opposite of regardless of usage