A vulnerability in DoorDash's business platform allowed anyone to send convincing, branded phishing emails from official servers, remaining unpatched for over 15 months despite reports. The discovery sparked a heated dispute between the researcher and DoorDash, highlighting tensions in vulnerability disclosure and bug bounty ethics. While the flaw is now fixed, the case underscores the challenges of aligning security research with corporate responses.