Yeah, that’s an incredibly short timeframe, done on a Friday with what looks like an 8-hour time difference.
Back before bug bounties, the industry mostly coalesced around RFPolicy[0] in terms of security notification and response timelines. Upon establishing initial contact, five business days were given for a response before public disclosure if no response was received.
To me five business days seems appropriate if you’re acting in good faith and truly interested in hearing a response. It doesn’t feel like that was the intent; it feels more like a weak attempt to use the lack of response to pile on further.
Timezone differences were accounted for (see my other reply), and this wasn't the first time they were hearing any of it. It was just the first time I put it into an article.
Back before bug bounties, the industry mostly coalesced around RFPolicy[0] in terms of security notification and response timelines. Upon establishing initial contact, five business days were given for a response before public disclosure if no response was received.
To me five business days seems appropriate if you’re acting in good faith and truly interested in hearing a response. It doesn’t feel like that was the intent; it feels more like a weak attempt to use the lack of response to pile on further.
https://packetstormsecurity.com/files/23364/rfpolicy-2.0.txt...