They took the time to do that after they had been contacted by the newspaper, and presumably after the problem had been fixed (since the paper allowed them them time to fix the problem before publishing and the first published report didn’t say that PTV had contacted the police).
I am not sure how that goes against what I was saying at all. I wasn’t arguing that they should have had more time to sort out the problem, but that the kid should have made real efforts (i.e. more than a single e-mail on a public holiday) to contact them to disclose the problem, rather than sending a single e-mail, waiting just over a week, then contacting a newspaper.
Instead, he should have e-mailed them and then when he didn’t receive a response he should have considered the possibility that it wasn’t received (flagged as spam or scam), was dismissed by a customer service person as a scam/phishing e-mail, etc and installed written another e-mail specifically requesting a response when the e-mail was received - perhaps a couple of days after the initial e-mail - and then if he didn’t receive a response to that then he should have made a phone call. You can never be sure asynchronous communication has been received, but with synchronous communication you don’t have that problem.
PTV may have bad policies which meant that the original e-mail was seen but ignored, or not appropriately responded to, and that should be investigated by PTV. However, that doesn’t change my opinion that the kid didn’t make reasonable efforts at ‘responsible disclosure’.
