Fascinating read and I learned something new about the issue with AngularJS.
The only thing that didn’t seem to sit right with me was the disclosure timeframe; the initial contact after business hours on the 24th December and then the details publicly disclosed on the 5th Jan.
I think during this time of the year it’s quite common for people to be off during this time, more so office workers. Less than two weeks over a known holiday period just doesn’t seem like the right thing to me.
It’s even a little worse than that, as he doesn’t seem to have gotten any sort of acknowledgement of receipt of the disclosure until the 28th, has no word on whether he waited to hear back from them, or about whether the vulnerability is still live.
I just had a check out of interest, and it does seem to be vulnerable still.