But that is the intention, isn't it?
The company showed neglect. The researcher has a moral right ( and I would say duty) to make that public.
It's nice of them to give the company some time to get their shit together. After the vulnerability has been fixed there is no issue for customers in publishing about the neglect. The bad press for the company is deserved.
The idea was change the initial approach and not mention deadlines and just see if they’ll fix it. Point to the law indicating they should notify the authorities. Then if they don’t respond, give them a timeline tell them you’re notifying them. Like the original post said this is not Google, not a tech company, this looks like extortion of some sort to them. So it’s not that surprising what their response was.
It all depends on the goal. Is the goal for them to fix it most of all? To get them embarrassed? To make a blogpost and get internet points?
