90 days is standard for “you’re code is fucked when someone presses this…”; if the issue is Dave left the keys in the parking lot and someone copied them, two weeks is more than enough time for them to recieve the notice, create a ticket to rotate the keys and a ticket to trigger an investigation (gotta document anytime an org fucks up so it doesn’t happen again, right?). Maybe I’m over simplifying it though, I don’t know how their org operates.
90 days is standard for “you’re code is fucked when someone presses this…”; if the issue is Dave left the keys in the parking lot and someone copied them, two weeks is more than enough time for them to recieve the notice, create a ticket to rotate the keys and a ticket to trigger an investigation (gotta document anytime an org fucks up so it doesn’t happen again, right?). Maybe I’m over simplifying it though, I don’t know how their org operates.
I agree in general, but
This is exactly why just sticking to the 90 day standard is better. For the supposed security researcher it’s a CYA move at worst.