Reacting fast is the least the vendor could do. Bare minimum. This should not be applauded. It should be treated as "well, at least they reacted at a reasonable speed so the root cause was probably not malice".
In other words, a quick turnaround with a fix does not lessen the impact of being negligent about security when designing the product.
You’re technically correct, given a literal reading of the post you quoted, but the use of “could” there was idiomatic - let me explain:
There’s a (fairly dated) idiom, “it’s the least I can do”, used when you are offering to do something to make up for a mistake or offense, but the person you hurt says your offer of compensation is unnecessary. For example:
Situation: Person A bumps into Person B in the cafe, causing B to drop their coffee cup.
A: I’m so sorry! Let me buy you another coffee.
B: That’s not necessary - it was an accident, and I had almost finished my drink anyway.
A: It’s the least I can do!
B: Oh, thank you so much!
Buying B a new coffee is not _literally_ the least A could have done - the least A could have done is nothing - but that’s the English idiom. “Can” is acting more like “should” here. You could read it as “It’s the least I can do (if I’m a good person, which I am)”.
Thank you for the explanation -- when I'm speaking foreign languages I appreciate this sort of explanation. But in this case, as a native English speaker, I was well aware of the idiom, and was trying to subvert it. :-)
The original idiom is said in the first person, and as you say means essentially, "Justice and equity compel me to do this; I don't find myself able to do less".
GGP was actually using a derivative of the idiom in the second person. What the derivative literally says is, "Justice and equity compel them to do this; they don't find themselves able to do less". But idiomatically, what it actually means is, "Justice and equity ought to compel them to do this; they ought not to find themselves able to do any less".
Which is true; but it's still the case that the vast majority of companies find themselves very much able to do far less. Justice and equity should compel companies to do this bare minimum, but in the vast majority of cases it doesn't. And so we should still commend those who do find themselves so compelled, and hold them up as an example.
[some edits]
> Reacting fast is the least the vendor could do.
And yet, so few do. Let's remind ourselves the bar sank into the floor a long time ago.
> Reacting fast is the least the vendor could do.
It's certainly the least a vendor should do, but it's absolutely not the least a vendor could do, as we see the vast majority of vendors do far, far less. It's worth holding people up and saying, "This is how you should be doing it."