A Blog From Behind the Trenches

Comments have been popping up in forums and blogs about the claim that Opera never responded to the reporter of the Cross Domain Charset Inheritance Vulnerability:

Unfortunately neither Microsoft nor Opera were interested in the
vulnerability. Opera did not react at all on our bug report and
Microsoft just sent a nonsense mail to us, claiming that we had
disclosed this already to the public and that they like getting
advance notice.

The person who reported this to us was in fact contacted after he had reported the issue to us and before the vulnerability was disclosed (this is logged in our internal systems so that we can verify that we have followed up on important things). Security vulnerabilities are taken very seriously by Opera Software, and people who find flaws and report them to us will be contacted to coordinate fixes and disclosure of the vulnerabilities in question.

It is not clear why he did not receive our response, but I am sure it will be worked out somehow. It is all probably just a misunderstanding, and not malice on his part or ours.

But the important thing to know is that it wasn't being ignored.