yes, because 30 days had passed from the time the patch landed in the kernel, as per industry standard.
approximately every security researcher, including the likes of google and other big names you may know, does a 90+30 disclosure, which is what happened here. they do this for good reason, which has been figured out over decades of experience in reporting thousands and thousands of vulnerabilities.
the only security researchers i know of that dont like 90+30 actually argue for shorter timelines (or immediate disclosures).
What do you think went differently in this case versus other high profile vulnerabilities that had binaries already available for major distros? I feel like it often (usually?) works out that major distros have kernel packages incorporating the fixes already available.
Is this just down to luck, a quirk in the timing about when Linus merged the fix versus when the release gets cut?
>They chose to disclose anyway.
yes, because 30 days had passed from the time the patch landed in the kernel, as per industry standard.
approximately every security researcher, including the likes of google and other big names you may know, does a 90+30 disclosure, which is what happened here. they do this for good reason, which has been figured out over decades of experience in reporting thousands and thousands of vulnerabilities.
the only security researchers i know of that dont like 90+30 actually argue for shorter timelines (or immediate disclosures).
What do you think went differently in this case versus other high profile vulnerabilities that had binaries already available for major distros? I feel like it often (usually?) works out that major distros have kernel packages incorporating the fixes already available.
Is this just down to luck, a quirk in the timing about when Linus merged the fix versus when the release gets cut?