It sounds to me as if this is something serious, and if the developers believe it is as serious as you say ... I appreciate that you have taken the time to report the issue, even though I do not know what it is.
The private information of my family members / loved ones is being given away without their consent. Names, email address, physical home addresses, phone numbers, birth dates, ordinance/priesthood information, appointment times and locations, and more, . . . is publicly available. Not serious?
First, I do not believe that Security is going to comment publicly on a matter such as this, or any other similar matter. I think that ultimately they will just do what they think they need to do without saying anything at all about it.
After submitting the form, a message appeared saying I will receive a response shortly. That never happened. Regardless of what they decide to do about a public post-mortem, I would expect at least acknowledgement that they're fixing it.
This is not a giant tech company and, as I am sure you know, they do not operate like one. I would be absolutely shocked to see any type of "post-mortem" report at all.
Just curious, how does the church deal with applicable laws regarding data privacy and retention? In some regions, a leak such as this would absolutely be required to be disclosed at least to those whose data was leaked. Short of an actual post-mortem, can we at least expect they will follow those laws? I know for a fact it affects citizens in EU regions, and I would be surprised if the Church was exempt from GDPR and other similar laws around the world.
With the knowledge of this information, I am trying to be responsible by posting status updates here, for accountability reasons. Of course I won't share any details before it is fixed, but I do think it's prudent to keep a record of what is happening. That's all.
Since you say someone has contacted you behind the scenes, I am certain that they are working as quickly and as best they can to resolve this issue, whatever it is. The mere fact that they reached out to you tells me they are taking it seriously. And I am doubly impressed that you were contacted so quickly, even if it seems they are taking longer than you feel they should to resolve the problem.
Yeah, I was actually really pleased to have been contacted so quickly on this forum; and my contact has been a delight to communicate with. It sounds like the issue is finally being escalated internally, and that's good. However, the "official" way of submitting and handling security reports clearly needs drastic internal improvements.
I don't mean to sound gruff. This bug just strikes a personal chord given the sensitive information, the breadth of the leak, and the fact that myself and other loved ones are affected; and I figured the Church's IT/tech dept. would be bigger or have more resources given the size of the organization. I'll patiently await the fix and report back.