[rdl]

Based on this timeline, I don't understand why Duo didn't go public on 2014-04-28 when PayPal began being weasely about their bug bounty program. This probably would be better for users for two reasons: one, in the past 2 months, this bug may have been exploited in the wild, and two, it would make it easier for users to make informed decisions about which payments providers to use in the future (as well as which 2fa providers are technically competent).

[mh_]

The disclosure process is always fraught with peril (and pain) and its a safe bet that no matter what a discloser does, there will be some person or group who thinks they should have handled it differently. In a case like this, when reasonable time is given, and the world gets to benefit from a great deal of work (effectively done for free), i tend to simply say thanks, and make notes..

[duiker101]

I was wondering the same. I think paypal was very unresponsive and the could have for sure done a better job. That said when they asked for 3 days more I think Duo could have complied and would have made everyone more happy.

[pilif]

> That said when they asked for 3 days

they asked for a month and 3 days. Duo wanted to disclose on June 25th, PayPal has a fix on July 28th.