> We attempted responsible disclosure by emailing dev@ajay.app multiple times on July 3 and 4, 2026, but received no response.
SponsorBlock is run by one guy. I consider this very irresponsible. You barely waited, and accessing (what you consider to be) the private data of 82k users is not at all necessary to prove a vulnerability. Luckily, most of these aren't really vulnerabilities.
But I'll go over the claims:
> This allowed us to enumerate and download almost the entire user database.
No. Sponsorblock says it has 13 million users, so 82k is not anywhere near "the entire user database".
> 8NpFUCMr2Gq4cy4UrUJPBfGBbRQudhJ8zzex8Gq44RYDywLt3UtbbfDap3KPDbcS
This is not a YouTube api key. It's an api key for a SponsorBlock API route that acts as a proxy to fetch information about a YouTube video.
> AIzaSyA8eiZmM1FaDVjRy-df2KTyQ_vz_yYM39w
This is an api key accessing some internal YouTube APIs. It's documented in many places and belongs to YouTube Android.
> PostgreSQL connection: postgresql://sponsorblock:pw@127.0.0.1:5432/sponsorTimes
You believe these are real creds?
> Admin password hash, global salt, Patreon integration keys, webhook secrets were exposed in repository files
From the CI and test configs...?
> High - Public Grafana Dashboard
Why do you consider this "High" or "Critical"?
> POST /api/skipSegments and POST /api/voteOnSponsorTime endpoints accepted submissions without proper user verification
This is intentional. The extension generates a UUID and uses that as a user ID.
> Batch queries revealed additional sensitive fields including userAgent.
What is sensitive about these fields? https://github.com/ajayyy/SponsorBlockServer/blob/1dd7a32092...
Sorry to say, but prompting some AI model and forwarding the results does not make you a security researcher.