I'm pretty torn on it, ethically, because of the stuff that can be obtained. Ultimately though, I think it would be better to publish one, since it should force them to actually fix it. I'm clearing it with some people first, but I'm thinking I'm going to do that later today or tomorrow.
It's now been one week and one of the court platforms in my recent disclosure[1] is still vulnerable to the issue that was reported to them by multiple state agencies over two months ago. They have not responded to my emails.
At what point does it become appropriate to publish a PoC? There's some Really Bad Shit™️ that can be obtained, so it's a tough position to be in.
I'm just testing a punycode domain instance. You may safely ignore this message (I would be interested in seeing a screenshot of what this message looks like on the feed though, if some kind soul felt so obliged).