> "Cloudflare ended up completing patching the bug"

This short quote fragment is a little misleading: Cloudflare patched the bug in their systems that allow you to send HTTP requests to any CF data center, regardless of where the originator of the request lives. This is likely something they want fixed for a large variety of reasons, some probably much more important than the specific attack OP wrote about.

> I wish Signal would react differently.

The severity of a potential security issue, or the determination of who is responsible for fixing or mitigating it, is a matter of opinion. Just because you think this is important for Signal to fix, it doesn't mean it's some absolute truth that it does. At the risk of appealing to authority, I would expect that people who run a security/privacy-focused messaging project to have a better handle on classifying these sorts of things than random people on HN like you or me.

But of course, sometimes they'll get it wrong too. I'm not familiar with the bubble color thing you mention, but sure, nobody's perfect; we're all human and we make mistakes. I'm personally not convinced Signal needs to do anything here. A 250 mile radius is quite a large area, and users can already choose to not auto-download attachments. To be fair, though, I think a simple way for Signal to fix this would be to disable caching on the attachments HTTP endpoints, though that might increase their bandwidth bills and increase load on their servers, depending on what their access patterns look like.