One of the reasons this unavoidable deadline was invented, is that the alternative is that one company (or all of them) can simply decide to ignore the vuln report, and then the vulnerability will stay forever undisclosed and forever out there in the wild. And prisoner's dilemma suggests that most companies would chose "do nothing" in this scenario: they don't have to do anything, and if the vuln stays undisclosed, it probably won't be exploited anyhow. Win-win!

▲

ori_b 2 hours ago | parent [-]

I'm confused. Can you explain how this applies to the current situation, where no vuln reports were submitted to the groups responsible for distributing patches?

▲

john_strinlai 2 hours ago | parent | next [-]

>where no vuln reports were submitted to the groups responsible for distributing patches?

the vulnerability report was submitted to the kernel security team and appropriate kernel maintainers. those are the people responsible for patching the kernel, which they did 30 days ago.

▲

ori_b 2 hours ago | parent [-]

I see, may the people who are responsible for the infrastructure you depend on be less concerned about shifting blame than you are.

	▲	john_strinlai 2 hours ago \| parent [-]
		imagine you use a dependency in your code. like left-pad. and some vulnerability is found in left-pad. is the reporter of that vulnerability responsible for finding and submitting a vulnerability report to every single piece of software that uses left-pad? all ~millions of them? or do they submit the report to left-pad, get them to fix it at the source, and trust that the people relying on left-pad will update their software like they should when they see a security-relevant update is available?

▲

Joker_vD 25 minutes ago | parent | prev [-]

> the groups responsible for distributing patches?

Those groups don't exist, to my knowledge. And probably can't, realistically speaking.