He didn't know how to evaluate the security impact or what to do about it. But he knew enough to know he should take it seriously. This is commonly referred to as "being paranoid" and is a natural reaction given the situation. Commendable even.
No, commendable would have been waiting a reasonable amount of time for the author to respond, and not including suggestions that the bug (that they didn't analyse the impact of) was an intentional backdoor.
... ridiculed by the OpenBSD hyenas?
Cheap, ad hominem, etc.
Noting that NIST didn't specify any form of truncated SHA-1
Not SHA-1, but SHA-224 and SHA-384 are truncated hashes specified by NIST.
In many (perhaps most) contexts, the critical security factor is the square root of that number
Not in this case, unless you have corpora of ~2^80 bcrypt hashes and want to find a collision with one of them.
No, commendable would have been waiting a reasonable amount of time for the author to respond, and not including suggestions that the bug (that they didn't analyse the impact of) was an intentional backdoor.
... ridiculed by the OpenBSD hyenas?
Cheap, ad hominem, etc.
Noting that NIST didn't specify any form of truncated SHA-1
Not SHA-1, but SHA-224 and SHA-384 are truncated hashes specified by NIST.
In many (perhaps most) contexts, the critical security factor is the square root of that number
Not in this case, unless you have corpora of ~2^80 bcrypt hashes and want to find a collision with one of them.