@73b17510 Jake Gold @ Bluesky commented there about my first email to them.

He is accurate on the timing (received Friday, acknowledged Tuesday, separate discussion about documentation Wednesday), but he's being very misleading when he talks about the severity.  More specifically, my email had nothing whatsoever to do with the vulnerability I disclosed a few days ago -- my email was about a trivially abused DDoS that was fixed after being reported a month later -- see: https://github.com/bluesky-social/atproto/pull/1313 

 @73b17510 I'll also say as an aside that the test posts I made to demonstrate that particular flaw are still there.

It takes 43 seconds for one user to load that one post.  I don't even want to know what that's doing to various backend systems and how it scales with more views.

https://cdn.fosstodon.org/media_attachments/files/111/072/894/597/608/838/original/2ab5f91548bb08bc.png