For anyone reluctant to click on a shortened URL, the full URL is https://lh3.googleusercontent.com/-BwS8oOqrxSQ/VUgoAVekqjI/A...

That's a significantly short amount of time to be able to address an issue before knowledge of the vulnerability becomes public knowledge.

I'm all for releasing a vulnerability after it a) is mitigated or b) becomes clear the responsible party has no plans to address the vulnerability in a timely fashion.

One day is in no way responsible unless the researchers were told pointedly that there was no plan to address the issues.

IMHO.

They (claim they) gave the company 30 days, and assert they could have extended it if it seemed a fix was upcoming and a few more days were necessary, but they only ever got ignored or lawyer-threatened over it.

In a later PDF, the lawyer complains about IOActive wanting access to company engineers on "a few days notice".

I really don't support people throwing around the DMCA, but if the company's lawyer's complaints are accurate (if) then IOActive sounds like they prioritized having a quasi-journalistic "scoop" over professionalism.

https://plus.google.com/118103547235676487972/posts/Sot7Tp1C...

Update: IOActive claims they gave 30 days notice, and that the company ignored it for 29 days. I guess we'll see which side is telling the truth.

Maybe they wanted to try to stealth-fix it without admitting an issue ever existed, and ran out of time?

Or it might be incompetence rather than malice. Maybe someone failed to take action until day 28.