I work on both sides of the fence. I respond to reports by researchers and I submit my own fair share to a large number of companies. The problem that is always present and which all employee's taking vulnerability reports need to understand is that there are scenarios outside of their realm of thinking which could bite them. In this case Schofield shouldn't have pushed back on the researcher and instead used the report as justification via a 'headline test' with the development team to make what should have been a simple code modification to use a strong random identifier. Instead Schofield introduced organizational bias that the information wasn't sensitive and now looks rather silly as a result, especially given it looks like the issue may have just been remediated. It is never good when a problem can't be tackled within a 30 day window at the frustration of a security researcher but can then be tackled within a matter of hours over a weekend.