I am not sure if you formally informed Dfinity, or if it was a just conversation with a team member. Formally disclosing it to DFINITY per their disclosure policy and receiving an acknowledgement of receipt is important as it is a component of holding them accountable if things go off the rails.
In the interim, if it were me, I would:
- keep the vulnerability confidential and not to disclose the vulnerability to anyone else
- send a message to Dfinity through their Security Vulnerability Program website with one’s expectation regarding a response.
If I felt that it had not received appropriate attention, I would contact their lead of security directly to alert them that a vulnerability has been reported and not actioned to your satisfaction. Unfortunately, Dfinity has not indicated who is the executive responsible for security. In this situation, I would inform Jan Camenisch (CTO) , Josh Drake (COO) and Paul Meeusen (VP Finance) - they likely have accountability for corporate risk management.
If there is no response, I would then share the non-action with well placed individuals who can influence the DFINITY team. I did not see a senior legal counsel listed – odd – I guess vacant.
Full Disclosure is the option of last resort and not recommended. Spending effort on informing persons is far better than invoking such a drastic option. Doing so will communicate the attack vector that could be exploited exposing the community to misery.
The Dfinity Vulnerability Policy should be supported by strong cryptographic intake processes that protects the information from being disclosed. A public email address and a public web site does not give me a great deal of confidence in the rigour of the disclosure program.
A quick review of their Vulnerability Disclosure Policy makes me think it should be augmented to provides vulnerability information that has been reported and addressed. Vulnerability information that has been reported should be assigned a CVE number by Dfinity for follow up by the submitter. Dfinity should provide an indication of timelines to the person who communicated the vulnerability for initial response and time to resolution.