No Problem
It's not like people reuse their user names, passwords or credit cards.
Dutch software engineer Tijme Gommers has revealed a still-active reflected cross-site scripting vulnerability and borked password controls in McDonald's main website that could be fodder for phishing attacks. The attack, reported on Gommers' blog, is possible thanks to an Angular expression injection vuln present in mcdonalds …
I'd start with wondering with why anyone would leave their details on a McD website to start with, but (a) RESPONSIBLE disclosure means you give a sensible amount of WORKING days to address the issue before you go public (in this context I've always had a bit of problem with a fixed deadline time because issues differ, but a month is sensible as the bad guys will find this too) and (b) McD's responsibility should not be overlooked - if you take details you have to protect them and it's not like this is rocket science. By now there's enough sample code and help out there to do it right.
I'd start with wondering with why anyone would leave their details on a McD website to start with
You could ask the same question about visiting the restaurants, but enough people do so that you're just going to have to accept that it's something people want to do, even if you don't get it.
but (a) RESPONSIBLE disclosure means you give a sensible amount of WORKING days to address the issue
And increase it if your disclosure is close to Christmas, because honestly even if you take the public holidays into account there's at least four additional working days where productivity is likely to be next to zero.
and (b) McD's responsibility should not be overlooked - if you take details you have to protect them
Yes, agreed. Even from the description above, it's fairly easy to tell that this isn't going to be something they can just patch up in a few minutes; it sounds like they've been complacent for quite a long time and they're way behind the curve. It's going to take quite a bit of effort for them to update their system to make it secure.
That rubs both ways: We should definitely be criticising them for letting it get to that point. But now that it's out in the open also we should give them the space to do the work to fix it.