> I immediately disclosed this to the Avelo team. They were responsive, professional, and took the findings seriously, patching the issues promptly.

(emphasis my own)

Sorry but I strongly disagree with this phrasing. This is a company "serving over 6 million customers since its 2021 launch" (from Google) that took four weeks to patch an embarrassing security flaw, after being handed all the details on a silver platter.

Imagine a food chain serving a million meals a year was revealed to be storing their food products in unsanitary conditions, and it took them a full month to correct this. That story would make national headlines, not to mention they could get promptly shut down by any competent health ministry.

I think this attitude mostly reveals how complacent we've become about these """incidents""": we just expect this to happen, everywhere and all the time, then we just shrug and say "they fixed it within a month, how responsible of them".