I'm gonna go against the grain on this one and call it karma whoring. Here's the formula:
1) Pick a company that has been the source of recent controversy.
2) Find a silly security flaw in one of their products that you can make sound serious with a bit of sensationalism. This should be easy to do, because most web apps have a few silly security holes.
3) Inform the company, and when they inevitably assign the silly flaw a low priority, write an inflammatory blog post and submit it to major news aggregators (e.g. news.yc)
I'm going to go exactly with the grain of all my previous comments here and call you full of it.
Did you read the post? We reported this over a year ago. We notified them repeatedly. We withheld the name of the vendor for over a year as a courtesy. They started with a "soft no", and, when Dave checked in a few months later, they simply ignored our email.
Also: 37Signals has nothing to do with the recent Ruby "controversy" (where by controversy, you mean "someone found security vulnerabilities in it, and some blogger freaked out about it"). 37Signals doesn't produce Ruby; an Open Source team does.
The issue here is that one of 37Signals signature philosophies is "just say no" and be true to your own vision of your product when users request things you don't want to do. Fine. But there's a slippery slope to that logic, and you need to be careful not to fall down it. Some requests that you don't want to do, especially when they come from paying customers, can't be blown off.
1) Pick a company that has been the source of recent controversy.
2) Find a silly security flaw in one of their products that you can make sound serious with a bit of sensationalism. This should be easy to do, because most web apps have a few silly security holes.
3) Inform the company, and when they inevitably assign the silly flaw a low priority, write an inflammatory blog post and submit it to major news aggregators (e.g. news.yc)