Zack Whittaker reports that Talkspace threatened a researcher who blogged about a problem he found on their site in signing up for a free year’s subscription.
John Jackson said he was able to sign up to Talkspace, a popular therapy app, as if he were an employee at one of the companies whose health insurance plans covers Talkspace’s services. Some of these sign-up links are found in Google search results, some of which aren’t advertised on the company’s website.
But Jackson said he found little to no evidence that the sign-up page verifies that a user is eligible for the free year-long subscription.
With the help of TechCrunch, Jackson contacted Talkspace, who does not have a bug bounty program, to warn them about the potential bug.
But the company rejected the claims, telling Jackson that it has “multiple internal processes in place to protect against abuses,” without providing specifics.
So Jackson published his findings on his blog.
For his efforts, he received a cease and desist letter
accusing the researcher of defaming Talkspace “by broadcasting untruths” in his blog post.
TechCrunch published the entire cease and desist letter within their reporting on this incident. You can read both here.