Stop blaming the reporter. Start asking kernel to fix their process. Linux kernel is no longer a toy project, it has full time employees employed by various companies. They should have handled notifying distributions. Not some rando.

▲

4 hours ago | parent | next [-]

[deleted]

▲

dweinus an hour ago | parent | prev | next [-]

No, I will. The distros and the kernel devs should be talking and moving on high sev patches, sure. But real people will have gotten hurt because the reporter didn't want to wait for that to happen. That's on them.

	▲	john_strinlai 25 minutes ago \| parent [-]
		you must be unfamiliar what used to happen before hard deadlines were set on disclosure. it was much worse for the users. here is a good start: https://projectzero.google/vulnerability-disclosure-faq.html... there is ~3 decades of more context if you search for it.

▲

pkoiralap an hour ago | parent | prev [-]

It's one thing to report a vulnerability, another entirely to make a crazy exploit available for any tom, dick, and harry to take and use. It was irresponsible of whoever came up with it to release it in the world without first giving major distros a head's up.

	▲	bell-cot an hour ago \| parent [-]
		Bashing on the reporter is pointless feel-good. This is a massive vuln. It was 4 weeks after Kernel had a patch. They had no way to know if others parties had also discovered the vuln. Lord Knows how many millions of systems could already have been rooted. The reporter is not their minion. If I call 911 to report a fire at an oil storage facility - and they ask me to alert the hospital, then phone the neighboring county's Sheriff Dept., and then...yeah. Either I'm way out in the sticks (and known to/trusted by the 911 operator), or else the 911 service is run by children.