I don’t know the Immich API, but I’ve seen several REST APIs that used the usual pattern of

GET /api/v1/user/<id> - read user
POST /api/v1/user/ - create user
...

but also allowed

GET /api/v1/user/<id> - read user
GET /api/v1/user/?action=create - create user
...

Well, they did it anyways, so…

Also this might work as an answer to “yeah, it’s a bug, but we won’t pay you”

I couldn’t help but find it amusing—they were now asking me to keep the report confidential, despite having initially dismissed it as out of scope.

“Sorry, but per your own guidelines this is out of scope. Because of this, this bug is not part of the agreement and guidelines on Hackerone. You can find my full disclosure, that I wrote after your dismissal here: <Link>” /s

Imagine getting a 404 or 500 error. Then archiving that on archive.org (and screenshot that dialog on steam) and accept the terms. If there’s any problem and they say you violated the EULA, point them to the terms you accepted.

Nintendo in my experience:

Physical: Get it right on release day (or in the first week after) in retail for about 40€, otherwise you will have to rely on rare good retail discounts to get it below 55€

Digital: Don’t you even dare to think about discounts

because it won’t let you do that:

elvith@testvm:~$ sudo rm -fr /

rm: it is dangerous to operate recursively on ‘/’

rm: use --no-preserve-root to override this failsafe

Yes, though you could also do rm -rf /* afaik to not need --no-preserve-root

Edit: I just realized that the * is already in the meme. So this should already work as is. Alternatively you could always use the good old way of “act now and remove all French roots of your system: rm -fr / --no-preserve-root”

I did that once with another company. The result was that I got an abuse complaint from them and my domain got on a spam blacklist for a while.

Since then, for such mails it’s only abuse reports and sinkhole their domain if possible.