To be fair, according to the timeline it looks like he did take over a month to report the last vuln after he found it (AWS keypair).
To be fair, according to the timeline it looks like he did take over a month to report the last vuln after he found it (AWS keypair).