[ikeboy]

I went back through his tweets to 2014, searched AVG, and found nothing before Oct, and that wasn't a request for contact, which came in December.

The report is dated from this month.

Re removing it: they can remove it from the webstore. As long as it's in the webstore, they shouldn't be releasing 0-days that haven't been patched yet.

[taviso]

You expended a lot of effort on what could have been easily resolved by asking me. The XSS that you're concerned about was for illustrative purposes only, and could not be used in an attack due to mixed-content errors.

I don't really want to discuss disclosure ethics with you, but will say that our documented policy was followed to the letter.