| ▲ | sgjohnson 6 hours ago | |
Not true, if there’s any evidence of the exploit being used in the wild, it’s much more responsible to release immediately. Considering that the patches have been available for a while, someone surely reversed what they were for and was actually exploiting this in the wild. In the age of AI, I’d argue that “responsible disclosure” is dead. Arguably even in closed source projects. Just ask Claude to do a diff between the previous version and to see whether anything fixed in there could have had security implications. We’re not there yet, but very soon the only way to responsibly disclose a vulnerability will be immediately. | ||
| ▲ | ori_b 6 hours ago | parent [-] | |
But they didn't release immediately -- they waited a month, but forgot to tell the distros, and forgot to check if waiting a month had actually lead to distros picking up the patches and shipping them. | ||