This is what the blog writer wrote in email informing about the vulnerability:
> I am offering a window of 30 days from today the 28th of April 2025 for [the organization] to mitigate or resolve the vulnerability before I consider any public disclosure.
> Please note that I am fully available to assist your IT team with technical details, verification steps and recommendations from a security perspective.
He is offering a window of 30 days and that he will consider public disclosure only after that window. He didn't say that this was the full and final window. He didn't say that he will absolutely and definitely disclose. He is being more than co-operative by willing to offer his time and knowledge in this matter, even if he doesn't need to.
If they are not Google, then instead of push-and-shove legal threats, they could have been forthcoming and said something like, "We are not an IT company with expertise in this matter. We will definitely need more than 30 days to resolve this matter. Please let us know if you are agreeable to a longer time Window of <n days> before you consider disclosure."
To top it all, they ask to keep this matter away from the authorities despite:
> The Maltese National Coordinated Vulnerability Disclosure Policy (NCVDP) explicitly requires that confirmed vulnerabilities be reported to both the responsible organization and CSIRTMalta.
So he followed the law and that is bad, how?
> I don’t think cc’ing the national agency was that necessary given the scale of the problem that necessary given the scale of the problem.
Children's addresses were publicly accessible via the vulnerability - does the urgency solely require the matter to be large scale to be taken seriously?
> Maybe should’ve just given them a call and have had a friendly chat over the phone. You would’ve helped them and stayed friends.
The same could be said about the company. Why are only people expected to be nice and friendly while it is fine for companies to issue legal threats?
> I am offering a window of 30 days from today the 28th of April 2025 for [the organization] to mitigate or resolve the vulnerability before I consider any public disclosure.
> Please note that I am fully available to assist your IT team with technical details, verification steps and recommendations from a security perspective.
He is offering a window of 30 days and that he will consider public disclosure only after that window. He didn't say that this was the full and final window. He didn't say that he will absolutely and definitely disclose. He is being more than co-operative by willing to offer his time and knowledge in this matter, even if he doesn't need to.
If they are not Google, then instead of push-and-shove legal threats, they could have been forthcoming and said something like, "We are not an IT company with expertise in this matter. We will definitely need more than 30 days to resolve this matter. Please let us know if you are agreeable to a longer time Window of <n days> before you consider disclosure."
To top it all, they ask to keep this matter away from the authorities despite:
> The Maltese National Coordinated Vulnerability Disclosure Policy (NCVDP) explicitly requires that confirmed vulnerabilities be reported to both the responsible organization and CSIRTMalta.
So he followed the law and that is bad, how?
> I don’t think cc’ing the national agency was that necessary given the scale of the problem that necessary given the scale of the problem.
Children's addresses were publicly accessible via the vulnerability - does the urgency solely require the matter to be large scale to be taken seriously?
> Maybe should’ve just given them a call and have had a friendly chat over the phone. You would’ve helped them and stayed friends.
The same could be said about the company. Why are only people expected to be nice and friendly while it is fine for companies to issue legal threats?