Reminder that what you're describing is "coordinated disclosure", and that there are in fact plenty of people who consider "full disclosure" to be preferable in some or all cases.

I think I'd personally develop a minimal patch and then publically disclose.

I'm not sure it's be reasonable to leave an actively exploited critical bug until August. Nor would I be too interested in playing middle man or paying for support from curl to get it out.

the vulnerability is there whether disclosed or not. if you find it, someone else has too. sitting on it is the irresponsible thing.

Why not? Only a tiny fraction of curl user get it from the upstream website/repo. Most users get curl/libcurl from their OS/application vendor or package manager, all of them having their own maintainers. There is no reason a temporary patch couldn't be produced by them in the meantime.

Taking 1/3 of the standard time budget to get back to you isn't ideal, but it's not "a documented lack of cooperation".

And if you find something halfway through the month then oh no two weeks to reply, that's basically a standard business interaction at that point.

Why are you interpreting clear communication of a window of downtime with 2 weeks notice as a "lack of cooperation"? That's what cooperation looks like. It's not explicit but my read was that they're not even taking a vacation - they're just doing the rest of their job, a lot of which is probably going to be shipping fixes for vulnerabilities that are already triaged.

There are no "rules" for responsible disclosure. We have guidelines that we have broadly accepted, but at the end of the day whether or not you discussed responsibly is in the opinion of your peers.

There's no such thing as "responsible disclosure on a technicality". Don't be a dick, and work in good faith to keep users safe.

Wrong, but thanks for documenting how uncooperative you are.