I agree that security by obscurity is a terrible security policy. But you have to cut the developer a little slack, he goes and makes a nice thing to put immigrants at ease (95% incorrect reports still better than no report information as one can just assumes ICE is everywhere), with proven by reverse engineering he doesn’t collect or store data and he’s not interested in storing aggregate data. In return he gets threats from government on him and his family, praise but also criticism and hatespeech from random internet folks.

This dev does appear to have a problem with separating wheat from chaff. While the security researcher does raise several legitimate points, the way it is presented and the way it was reported to the dev sounds a bit adversarial and can be interpreted like a conclusion in search of evidence. Disclosure periods are usually days at minimum, weeks to months depending on the severity. There would be more time to properly explain, rather than “You need a warrant canary!”, which will simply be met with “No, I don’t!”.

Edit: sorry for triple commeting, app was timing out