ICEBlock handled my vulnerability report in the worst possible way

Summary

Last week, I wrote about how Joshua Aaron's ICEBlock app, which allows people to anonymously report ICE sightings within a 5-mile radius, is – unfortunately, and despite apparent good intentions – activism theater. This was based on Joshua's talk at HOPE where he made it clear that he isn't taking the advice of local community groups, that ICE sightings aren't verified in any way, and that he doesn't know what he's doing when it comes to security and privacy.In that post, in the section about his "HIGHLY secure" server that he kept mentioning, I wrote:Without providing more details, I also discovered that his server is running outdated software with known vulnerabilities.I was intentionally vague because I knew that his server was vulnerable at the time of writing, and I didn't want anyone to exploit one of these vulnerabilities before he had a chance to fix it.ICEBlock has been downloaded over one million times from the App Store. I don't know whether Joshua's server stores data related to these users or the reports they submit, but it might, and he certainly bragged about the security of it in his HOPE talk.I'm publishing this because it's important for people who are trusting ICEBlock to know that the developer is careless about computer security, even when people specifically point out security issues and give him time to fix them. Hopefully his server doesn't have any user data. Hopefully no one will hack his server despite the fact that he's making it easy for them to. And hopefully this blog post will compel him to finally fix the issue.Joshua runs two Bluesky accounts: @iceblock.app, the account of the ICEBlock app, and @joshua.stealingheather.com‬, Joshua's personal account. His personal account had DMs closed, but the ICEBlock account had DMs open, so I sent him DMs there.On September 1, I wrote:Hey Joshua, I'm one of the people who saw your HOPE talk and asked some of the questions. I'm giving you a heads up that I'm preparing to publish a blog post about...