| ▲ | MatthewWilkes 12 hours ago | |
I think very few people would consider that to be responsible disclosure. The common practice is to allow 90 days as a minimum. | ||
| ▲ | akerl_ 3 hours ago | parent | next [-] | |
Reminder that what you're describing is "coordinated disclosure", and that there are in fact plenty of people who consider "full disclosure" to be preferable in some or all cases. | ||
| ▲ | rustyhancock 8 hours ago | parent | prev [-] | |
I think I'd personally develop a minimal patch and then publically disclose. I'm not sure it's be reasonable to leave an actively exploited critical bug until August. Nor would I be too interested in playing middle man or paying for support from curl to get it out. | ||