[jlees]

Well, they did say "no, we need more time, please don't disclose this" on the iOS auth bug. The author's response was to wait 90 days and then disclose it without waiting for the go-ahead. Is this SOP in security circles? It's certainly unusual in non-security interactions.

[Maxious]

"Disclosure deadlines have long been an industry standard practice. They improve end-user security by getting security patches to users faster." http://googleprojectzero.blogspot.com/2015/02/feedback-and-d...

"Vulnerabilities reported to the CERT/CC will be disclosed to the public 45 days after the initial report, regardless of the existence or availability of patches or workarounds from affected vendors. " https://www.cert.org/vulnerability-analysis/vul-disclosure.c...

[mynameisvlad]

No, the author's response was to contact them again to get a status, get no response, then disclose after 90 days, all while informing them multiple times of the imminent disclosure.

It's great that they said they needed more time, but they completely dropped the ball on that communication chain, and got more than enough chances to ask him to wait.