Thanks for the reply. My thoughts:

(1) As an ethical hacker, I try to disclose any security vulnerabilities I find in software. Have a look elsewhere in my blog for countless examples (nerds can look me up on HackerOne for more)! The vulnerabilities are there and eventually get exploited by bad guys whether or not I disclose them, but if I disclose them then service operators have a chance to fix them first. If you use Vodafone, HMRC, or the National Lottery, for example – all of these services are more-secure than they would be thanks to me, personally, breaking into them (and then telling them how I did so!). No, it’s not “fun” for their developers to be shown that they’ve got a security bug, but it’s their JOB, for which they’re paid, to fix them, and I feel that it’s the responsible and correct thing to do to tell them. Otherwise, the next person to find the vulnerability might not be so nice and people will get their money or identity stolen. (As a side benefit, I sometimes get awarded “bounties” for my efforts – kickbacks from companies who want to encourage “good guys” and incentivise them not to be “bad guys” – but personally I just do it for fun.)

With Jigidi, though, I didn’t see any potential for harm in the misuse of the technique, so I skipped the “tell the developers first” step and went straight to the “publish on the Web” step. I based this decision on the fact that nobody’s going to get defrauded out of their pension or spammed or whatnot as a result of this issue. Also because this is what basically everybody else who’s found an exploit for Jigidi has done. (Lots of other people have described similar techniques, apparently I just show up in search engines better!)

I see the point that Jigidi developers may feel they have to ‘fence’ with me. Maybe they do, but I’ve not seen any evidence of this: that my initial exploit no longer works may well be a coincidence. Regardless: the technique I proposed most recently, a little higher in the thread, is one that isn’t POSSIBLE for them to counteract (although it’s also not so effective as the original either). I’ve made no efforts beyond my initial post to ‘fence’ with them, and I’ve not seen anybody else do so either. So while your argument may be valid against something I DID, and I’ll consider that, it’s not something I’m DOING.

(2) You’re right, I suppose, that people might use techniques like the one I originally suggested (which no longer works) to get to the top of leaderboards, competing unfairly with my gran (well not my gran obviously, she’s been dead over a decade, but somebody’s gran, sure). When I originally came up with the technique, I honestly had no idea that there even were leaderboards or that people might “compete” at jigsaw-solving! I don’t use a Jigidi account while solving jigsaws using my approaches or otherwise, so I don’t appear on any leaderboards, and I don’t condone anybody else doing so either. It is, of course, impossible for Jigidi to completely police this (just like they can’t stop a team of people solving a jigsaw together, just like they can’t remove the advantage posed by people with larger screens) but I appreciate that my initial technique represents an incredible scaling-up compared to those advantages.

Again, techniques like mine are “out there” and being used regardless of whether or not I streamline, simplify and publish them. But I can see how I might, for the brief period that the technique in my blog post worked (I assume you’ve seen that it stopped working months ago, and as I mentioned I’ve never made any effort to ‘fence’ with Jigidi by making it work again), have helped facilitate cheating. I didn’t consider the possibility that somebody would use it to cheat at lesderboards because I only considered that people would use it if, like me, they found jigsaws boring and tedious, and using it to get onto scoreboards would require doing MORE boring and tedious things! But I suppose it’s possible that somewhere on the Internet there exist sad losers who would waste their time doing jigsaws slightly-faster than by hand in order to put their name on a scoreboard.

To mitigate that: I can promise that if I ever publish a streamlined technique for sidestepping Jigidi again, I’ll see if it’s possible to make it work only (or easiest, if that’s not possible) if you’re not logged in to a Jigidi account. Although again, I’m unlikely to do this – finding an exploitable bug in some code once is fun for me, doing it again and again on the same bit of code is basically what I’m paid to do at work so it’s a lot less fun! That’s why while you’ll find countless posts on my blog about how I hacked some system it another, you’ll not find one about how I did so TWICE!

Hope that explains my position, and what I’d do differently in future!