He points out that after reporting the attack privately on Thursday around 15:46 UTC, there was no response for four days, including a weekend, before the issue was made public on Monday at 13:21 UTC. Dave suggests that this is an unusually quick decision to go public, noting that it's more common to allow at least 30 days for a response to such reports. He indicates that often, additional prompts for a response might be necessary within this period. This highlights the importance of giving adequate time for triage and response to security vulnerabilities before disclosing them publicly.