Later on you can take your time rolling out a client fix if it's required, but a hotfix server-side is entirely possible, there's no excuse keeping this vulnerability possible when it's been made this public(step by step instructions to hack someone's account, with screenshots!) especially since you were contacted privately about it ~3 months ago.
Be realistic. If two people need to talk about it, it's going to take longer than 2 minutes.
The two hours were most likely spent on office politics as opposed to fixing the problem. I'm surprised it wasn't > 5 hours to be honest.