

I’m not sure you can make that conclusion. This isn’t a real vulnerability, and this isn’t a surprise to anybody who knows how the AP protocol works. Dansup didn’t reveal anything that was previously unknown, the blog author just has an axe to grind. It’s unfair to assume that an actual 0 day vulnerability would have been treated the same way.
Not me who downvoted you, FYI.
To me, a vulnerability is something unforeseen, that allows bad actors to exploit the system in an unintended manner. In this case, the system is working perfectly as designed. Just because another system decided to implement a new feature without consulting anybody else, does not make it a vulnerability. Or perhaps it does, but with the vulnerability on the side of Mastodon, since they’re the ones telling their users their post is private when it is actually nothing of the sort.
What would I call it? An unsupported feature. One that Mastodon forced everybody else to implement without asking or any respect.