They didn’t release anything into the wild. It existed. The irresponsible thing would be letting it keep existing without telling anyone.
replyYou cannot deny that telling the entire world about this vulnerability before it is patched won't cause a lot of abuse that would not have happened otherwise.
replyI do deny that, mostly because we’ve entered the time of automated vulnerability detection and abuse. A human need not be in the loop at all anymore.
replyBut, even if I agreed with you, how do you propose they tell the patchers this that doesn’t tell the whole world?
Why not?
replyWhat number of days do you want? If nobody tells the distros it could be months or years, and while it would be nice for the researchers to monitor/notify distros it's really not their job. They might not have thought of it.
replyAnd they dropped it on a Wednesday.