Hey Xint Code / tylerni7 <https://news.ycombinator.com/threads?id=tylerni7>, maybe you should improve your disclosure process as well? Maybe make it mandatory for users of your tool?

▲

john_strinlai 4 hours ago | parent | next [-]

they disclosed 30 days after the patch was merged in the thing they reported to.

its the same disclosure policy as google's project zero, and several other major players, so you should probably be trying to ping a lot more people

reporters should not be responsible for finding out and individually reporting to every downstream consumer. blame the kernel security team, who is in a much better position to coordinate notifications to individual distro security teams.

▲

VladVladikoff 2 hours ago | parent [-]

In the original thread they admitted multiple times that they rushed it out for marketing reasons.

	▲	john_strinlai an hour ago \| parent [-]
		as an explanation for the misnumbered redhat version. the disclosure itself followed a normal timeline, which you can view at the bottom of their blog post.

▲

tptacek 3 hours ago | parent | prev [-]

The security research community would run you out on a rail if you tried to take a successful research product and attach mandatory disclosure norms to it.

▲

VladVladikoff an hour ago | parent [-]

Couldn't the product itself disclose to the vendors?

	▲	tptacek an hour ago \| parent [-]
		No firm in the world would use a vulnerability research product that automatically disclosed to vendors.