There are clearly 2 different levels of "evaluation" at play here.
Being able to "evaluate" every security bug submitted to you in 15 minutes implies relatively insignificant bugs, or it implies that you are not "evaluating" the bugs you claim you are "evaluating".
The first time a report came in on meltdown/spectre/heartbleed whatever, there is no way any serious security researcher could have fully evaluated that report in 15 minutes. Never having seen or heard tell of it previously. Heck, just pulling together the requisite hardware and getting the requisite software on it might take more than 15 minutes. I don't buy that it could be "evaluated" in 15 minutes.
how do you feel about the word "triaged"? There's some reports that are obviously going to be worth an immediate response and some that aren't. And some will slip through the cracks, in either direction, because the queue is being watched by a human and not a robot. If the report contains a screenshot of your private admin panel, it's getting escalated.
Anyone serious got advanced notice of meltdown/spectre/heartbleed and had longer than 15 minutes to decide a course of action. Whether that's a good or bad thing about infosec as an industry, I can't decide.
There are clearly 2 different levels of "evaluation" at play here.
Being able to "evaluate" every security bug submitted to you in 15 minutes implies relatively insignificant bugs, or it implies that you are not "evaluating" the bugs you claim you are "evaluating".
The first time a report came in on meltdown/spectre/heartbleed whatever, there is no way any serious security researcher could have fully evaluated that report in 15 minutes. Never having seen or heard tell of it previously. Heck, just pulling together the requisite hardware and getting the requisite software on it might take more than 15 minutes. I don't buy that it could be "evaluated" in 15 minutes.