That is not the part that seems like a problem to me. For companies with more than one employee, having a formal process to report vulnerabilities is absolutely the right way to do it, because otherwise there is very little chance that the right people would hear about it or have the details they need. There’s no clear distinction between a vulnerability and a bug, and it would be a mistake to rely on outside parties to correctly make the distinction, so submitting vulnerabilities through the bug tracker also makes sense.
What is troubling is the time they took, or at least appeared to take. Whatever they said publicly – and I wouldn’t expect any company, let alone Apple, to give a running Twitter commentary on active security issues – internally they should have recognised the size of the problem the same day, and escalated it to someone with the authority and wherewithal to disable group calling as soon as they knew that would mitigate the problem. The only thing we actually know is that it took them 8 days, and that certainly sounds like a long time for this particular fix.
In general though, bugs can easily take a lot longer than that to fix, which is why a security researcher would rightly be blasted for posting this on social media the same day they told Apple about it. You can’t expect a general-purpose mom to be aware of responsible disclosure practices of course, but this story probably wouldn’t have blown up if the vulnerability hadn’t been discovered by a non-hacker (which is extremely unusual).
