Just great.

Obviously the customers don’t need to know that their audit logs not only could have been turned off for conversations without any extra authentication, but also are so easy to turn off that it happens by accident without any extra intervention.

Also their entire Vulnerability disclosing guideline is security/compliance/image theater.