Disclosing a fairly significant (albeit very niche) vulnerability like this via a comment on HN 3 weeks later isn't really best practice. Was there a disclosure prior to this post going up?
This HN post is a link to a disclosure from the security researchers who worked with Dropbox (note: I work for Dropbox).
It is not generally the case that companies disclose quickly-patched vulnerabilities that were reported by white-hat security researchers. Example of a similar vulnerability with a similar response time by another company: https://blog.duosecurity.com/2013/02/bypassing-googles-two-f...
Researchers disclose a while after the vulnerability is patched. This is standard practice.
It is not generally the case that companies disclose quickly-patched vulnerabilities that were reported by white-hat security researchers. Example of a similar vulnerability with a similar response time by another company: https://blog.duosecurity.com/2013/02/bypassing-googles-two-f...
Researchers disclose a while after the vulnerability is patched. This is standard practice.