they disclosed 30 days after the patch was merged in the thing they reported to.
replyits the same disclosure policy as google's project zero, and several other major players, so you should probably be trying to ping a lot more people
reporters should not be responsible for finding out and individually reporting to every downstream consumer. blame the kernel security team, who is in a much better position to coordinate notifications to individual distro security teams.
In the original thread they admitted multiple times that they rushed it out for marketing reasons.
replyas an explanation for the misnumbered redhat version.
replythe disclosure itself followed a normal timeline, which you can view at the bottom of their blog post.
deleted
replyThe security research community would run you out on a rail if you tried to take a successful research product and attach mandatory disclosure norms to it.
replyCouldn't the product itself disclose to the vendors?
replyNo firm in the world would use a vulnerability research product that automatically disclosed to vendors.
replydeleted
reply