I’m genuinely curious what you would call this and what distinguishes it from a vulnerability.
Leaving aside responsibility, the system could have been set up in a way that wouldn’t have exposed user data but wasn’t. This is now fixed and user data isn’t exposed via this method any longer. What is the right word for what it was at the moment this flaw was discovered?
I appreciate your reply and understand your perspective. I still don’t fully agree, it might be a matter of the point of view from which you look at this issue. But I think in essence we are on the same page.
Thanks for not abandoning the discussion!