Adafruit’s post about a demand letter from Fenwick, sent on behalf of Defy Gravity, Inc. Flux.AI, is the kind of thing that makes “responsible disclosure” sound like a joke the lawyers are in on.

Adafruit:

Adafruit accessed only information that Flux’s own systems made publicly available through a server misconfiguration. Adafruit’s reporting concerns a matter of public security interest and was conducted in the ordinary course of responsible disclosure.

That is the whole fight in two sentences. A company exposes something, a reporter notices, and suddenly the story is not the exposure. The story is whether the reporter can afford the blast radius of saying so.

The Computer Fraud and Abuse Act has always been a handy fog machine for this move. You do not need to win the argument on security if you can make the other side spend money proving they were allowed to look at what your server handed them.

The AI angle makes it uglier, not more novel. A startup selling the future should not need the oldest trick in the crisis-PR drawer: threaten the people who found the mess. If your public systems leak public facts, the problem is not the public.