A 2FA bypass would mean you can completely bypass the TFA protections. His attack doesn't allow that - you still need to steal the OTP somehow. It's only notable in situations where you can steal OTPs but for some reason only after they have been used. That does not seem like a likely scenario so I'd say it is low priority.

Still, it's definitely an embarrassing flaw and probably trivial to fix so taking over a year to fix it is not great.

* It was initially closed as "not applicable". I had to insist that it was a vulnerability.

* It was originally scheduled to be fixed within about 90 days, which was reasonable, but they kept delaying it more and more.

* They took 4 months to notify me that they've fixed it. That's 21 months in total from opening to closing it.

* They miscategorised the severity as low, when the exact same vulnerability was medium. It's quite feasible for a determined attacker to set up a camera to record a monitor, and it doesn't require any special exploit code or tools. Exploiting it gives you access to the "crown jewels".

* They didn't open a CVE. Probably didn't issue a security bulletin to their customers, but I didn't check.

* They don't commit to fixing security issues in a timely manner.

* They didn't make the effort to fix the issue themselves, it was incidentally fixed when eventually they updated an dependency which was unmaintained for years.

* The fix was as simple as pointing to a patched fork of the dependency (there was an unmerged PR), not something that requires more than a year to fix.

People like you are why companies hate bug bounty programs. Complaining about a bug marked low severity when your stated attack vector requires installing a physical camera