I'm the reporter of these (and other) issues and the author of the vuln repository this article links to.
While I appreciate your response, the accuracy of the timeline your provided (Wednesday's email was about documentation), and your comment that "[w]e do want to handle these kinds of reports better", I can't help but point out that even today, Bluesky still hasn't reached out to me about the specifics of these (and other...) vulnerabilities. Bryan Newbold did email me a week after this disclosure to answer a few questions, but it didn't address the vulnerabilities at all; I like Bryan -- the few discussions we've had have been positive -- but he isn't the person that should have emailed me.
Sidenode, https://bsky.app/profile/jacob.gold/post/3k7frqmvhft2b sure did seem personal. The timing suggests that it was made solely to mock the situation. (To be clear, I like and respect @retr0.id a lot; I've bounced some of my ideas off of him and he's the "second security researcher" I referred to in the vuln respository.)
This whole thing has put an extremely bad taste in my mouth.
